huawei basic configuration guide for routers

HUAWEI NetEngine5000E Core RouterV800R002C01

Configuration Guide - BasicConfigurations

Issue 01

Date 2011-10-15

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 01 (2011-10-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

About This Document

Intended AudienceThis document provides the basic concepts, configuration procedures, and configurationexamples in different application scenarios of the Basic Configurations feature supported by theNE5000E device.

This document describes how to configure the Basic Configurations feature.

This document is intended for:

l Data configuration engineersl Commissioning engineersl Network monitoring engineersl System maintenance engineers

Related Versions (Optional)The following table lists the product versions related to this document.

Product Name Version

HUAWEI NetEngine5000ECore Router

V800R002C01

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

Symbol Description

Indicates a hazard with a high level of risk, which if notavoided, will result in death or serious injury.

Indicates a hazard with a medium or low level of risk, whichif not avoided, could result in minor or moderate injury.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - Basic Configurations About This Document


ii

Symbol Description

Indicates a potentially hazardous situation, which if notavoided, could result in equipment damage, data loss,performance degradation, or unexpected results.

Indicates a tip that may help you solve a problem or save time.

Provides additional information to emphasize or supplementimportant points of the main text.

Command Conventions (Optional)The command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated byvertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated byvertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of allitems can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated byvertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Change HistoryUpdates between document issues are cumulative. Therefore, the latest document issue containsall updates made in previous issues.

Changes in Issue 01 (2011-10-15)

The initial commercial release.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - Basic Configurations About This Document


iii

Contents

About This Document.....................................................................................................................ii

1 Logging In to the System for the First Time............................................................................11.1 Overview of Logging In to the System for the First Time.................................................................................21.2 Logging In to the router Through the Console Port...........................................................................................2

1.2.1 Logging In to the router Through the Console Port..................................................................................31.2.2 Logging In to the router.............................................................................................................................3

2 Configure the User Interface.......................................................................................................62.1 User Interface Overview.....................................................................................................................................72.2 Configuring the Console User Interface.............................................................................................................8

2.2.1 Configuring Physical Attributes for the Console User Interface...............................................................92.2.2 Configuring Terminal Attributes for the Console User Interface............................................................102.2.3 Configuring the User Priority for the Console User Interface.................................................................112.2.4 Configuring Authentication for the Console User Interface....................................................................122.2.5 Checking the Configuration.....................................................................................................................13

2.3 Configuring VTY User Interfaces....................................................................................................................142.3.1 Configuring the Maximum Number of VTY User Interfaces.................................................................152.3.2 Configuring the Limit on Incoming and Outgoing Calls for VTY User Interfaces................................162.3.3 Configuring Terminal Attributes for VTY User Interfaces.....................................................................162.3.4 Configuring the User Priority for a VTY User Interface.........................................................................172.3.5 Configuring Authentication for a VTY User Interface............................................................................182.3.6 Checking the Configuration.....................................................................................................................20

2.4 Configuration Examples...................................................................................................................................212.4.1 Example for Configuring the Console User Interface.............................................................................212.4.2 Example for Configuring VTY User Interfaces......................................................................................23

3 Configuring User Login.............................................................................................................263.1 User Login Overview.......................................................................................................................................273.2 Logging In to the System Through the Console Port.......................................................................................30

3.2.1 Configuring the Console User Interface..................................................................................................303.2.2 Logging In to the System Through the Console Port..............................................................................313.2.3 Checking the Configuration.....................................................................................................................31

3.3 Logging In to the System by Using Telnet.......................................................................................................323.3.1 Configuring VTY User Interfaces...........................................................................................................33

HUAWEI NetEngine5000E Core RouterConfiguration Guide - Basic Configurations Contents


iv

3.3.2 (Optional) Configuring Local Telnet Users.............................................................................................333.3.3 Enabling the Telnet Server Function.......................................................................................................343.3.4 (Optional) Configuring the Listening Port Number for the Telnet Server..............................................353.3.5 Logging In to the System by Using Telnet..............................................................................................363.3.6 Checking the Configuration.....................................................................................................................37

3.4 Logging In to the System by Using STelnet.....................................................................................................373.4.1 Configuring VTY User Interfaces...........................................................................................................383.4.2 Configuring VTY User Interfaces to Support SSH.................................................................................393.4.3 Configuring an SSH User and Specifying the Service Type...................................................................393.4.4 Enabling the STelnet Server Function.....................................................................................................423.4.5 (Optional) Configuring STelnet Server Parameters................................................................................423.4.6 Logging In to the System by Using STelnet............................................................................................433.4.7 Checking the Configuration.....................................................................................................................44

3.5 Configuration Examples...................................................................................................................................463.5.1 Example for Logging In to the System Through the Console Port.........................................................463.5.2 Example for Logging In to the System by Using Telnet.........................................................................483.5.3 Example for Logging In to the System by Using STelnet.......................................................................51

4 Transferring Files........................................................................................................................554.1 File Transfer Overview.....................................................................................................................................564.2 File Transfer Modes Supported by the HUAWEI NetEngine5000E................................................................574.3 Operating Files After Logging In to the System..............................................................................................58

4.3.1 Managing Directories..............................................................................................................................594.3.2 Managing Files........................................................................................................................................59

4.4 Using FTP to Operate Files..............................................................................................................................614.4.1 Configuring a Local FTP User................................................................................................................624.4.2 (Optional) Changing the Listening Port Number of the FTP Server.......................................................634.4.3 Enabling the FTP Server Function..........................................................................................................634.4.4 (Optional) Configuring FTP Server Parameters......................................................................................644.4.5 (Optional) Configuring FTP Access Control...........................................................................................654.4.6 Using FTP to Access the System.............................................................................................................654.4.7 Using FTP to Operate Files.....................................................................................................................664.4.8 Checking the Configuration.....................................................................................................................69

4.5 Using SFTP to Operate Files............................................................................................................................704.5.1 Configuring an SSH User and Specifying the Service Type...................................................................714.5.2 Enabling the SFTP Server Function........................................................................................................734.5.3 (Optional) Configuring SFTP Server Parameters....................................................................................744.5.4 Using SFTP to Access the System..........................................................................................................764.5.5 Using SFTP to Operate Files...................................................................................................................774.5.6 Checking the Configuration.....................................................................................................................78

4.6 Configuration Examples...................................................................................................................................804.6.1 Example for Operating Files After Logging In to the System................................................................804.6.2 Example for Using FTP to Operate Files................................................................................................80



v

4.6.3 Example for Using SFTP to Operate Files..............................................................................................83

5 Accessing Other Devices............................................................................................................865.1 Overview..........................................................................................................................................................875.2 Using Telnet to Log In to Other Devices.........................................................................................................895.3 Using STelnet to Log In to Other Devices.......................................................................................................91

5.3.1 Configuring Login to Another Device for the First Time (Enabling First-Time Authentication on the SSHClient)...............................................................................................................................................................925.3.2 Configuring Login to Another Device for the First Time (Binding the SSH Client to the RSA Public KeyGenerated on the SSH Server)..........................................................................................................................935.3.3 Using STelnet to Log In to Other Devices..............................................................................................945.3.4 Checking the Configuration.....................................................................................................................95

5.4 Using TFTP to Access Other Devices..............................................................................................................955.4.1 Configuring the Source Address for the TFTP Client.............................................................................965.4.2 Configuring TFTP Access Control..........................................................................................................965.4.3 Using TFTP to Download Files from Other Devices..............................................................................975.4.4 Using TFTP to Upload Files to Other Devices........................................................................................985.4.5 Checking the Configuration.....................................................................................................................98

5.5 Using FTP to Access Other Devices................................................................................................................995.5.1 (Optional) Configuring the Source Address for the FTP Client............................................................1005.5.2 Using FTP to Connect the FTP Client to Other Devices.......................................................................1005.5.3 Using FTP to Operate Files...................................................................................................................1015.5.4 (Optional) Changing the User Login.....................................................................................................1035.5.5 Terminating a Connection to the FTP Server........................................................................................1045.5.6 Checking the Configuration...................................................................................................................105

5.6 Using SFTP to Access Other Devices............................................................................................................1055.6.1 (Optional) Configuring the Source Address for the SFTP Client.........................................................1065.6.2 Configuring Login to Another Device for the First Time (Enabling First-Time Authentication on the SSHClient).............................................................................................................................................................1075.6.3 Configuring Login to Another Device for the First Time (Binding the SSH Client to the RSA Public KeyGenerated on the SSH Server)........................................................................................................................1075.6.4 Using SFTP to Connect the SSH Client to the SSH Server..................................................................1095.6.5 Using SFTP to Operate Files.................................................................................................................1095.6.6 Checking the Configuration...................................................................................................................111

5.7 Configuration Examples.................................................................................................................................1115.7.1 Example for Using Telnet to Log In to Other Devices..........................................................................1115.7.2 Example for Using STelnet to Log In to Other Devices.......................................................................1135.7.3 Example for Using TFTP to Access Other Device................................................................................1205.7.4 Example for Using FTP to Access Other Devices................................................................................1235.7.5 Example for Using SFTP to Access Other Devices..............................................................................1255.7.6 Example for Accessing the SSH Server by Using a Non-default Listening Port Number....................1315.7.7 Example for Configuring SSH Clients on the Public Network to Access an SSH Server on a PrivateNetwork..........................................................................................................................................................137

6 Using the Command Line Interface.......................................................................................148



vi

6.1 Overview of the Command Line Interface.....................................................................................................1496.2 Establishing the Running Environment for the Command Line....................................................................149

6.2.1 Configuring the Login Alert..................................................................................................................1506.2.2 Setting a Device Name..........................................................................................................................1506.2.3 Configuring Command Levels..............................................................................................................1516.2.4 Lock the User Interface.........................................................................................................................152

6.3 How to Use Command Lines..........................................................................................................................1526.3.1 Entering a Command View...................................................................................................................1536.3.2 Editing Command Lines........................................................................................................................1536.3.3 Checking the Configuration...................................................................................................................1546.3.4 Checking the Diagnostic Information....................................................................................................1556.3.5 Display Mode of Command Lines.........................................................................................................1556.3.6 Error Information in Command Lines...................................................................................................159

6.4 How to Obtain Command Help......................................................................................................................1596.5 How to Use Shortcut Keys.............................................................................................................................160

6.5.1 Classification of Shortcut Keys.............................................................................................................1616.5.2 Defining Shortcut Keys.........................................................................................................................1616.5.3 Displaying Shortcut Keys and Their Functions.....................................................................................162

6.6 Configuration Examples.................................................................................................................................1636.6.1 Example for Using Tab..........................................................................................................................1636.6.2 Example for Defining Shortcut Keys....................................................................................................164

7 Device Upgrade..........................................................................................................................1667.1 Overview of Device Upgrade.........................................................................................................................1677.2 Upgrade Modes Supported by the NE5000E.................................................................................................167

8 Patch Installation.......................................................................................................................1698.1 Overview........................................................................................................................................................1708.2 Patch Installation Modes Supported by the NE5000E...................................................................................170

9 Configuration Management....................................................................................................1719.1 Introduction to Configuration Management...................................................................................................1729.2 Configuration Management Features that the NE5000E Supports................................................................1739.3 Selecting a Configuration Validation Mode...................................................................................................173

9.3.1 Configuring Immediate Configuration Validation Mode......................................................................1749.3.2 Configuring Two-Phase Configuration Validation Mode.....................................................................175

9.4 Managing Configuration Files........................................................................................................................1779.4.1 Saving Configurations...........................................................................................................................1789.4.2 Comparing Configuration Files.............................................................................................................1799.4.3 Specifying the System Configuration File to Be Loaded at the Next Startup.......................................1799.4.4 Clearing the System Configuration File Loaded at the Current Startup................................................1809.4.5 Checking the Configuration...................................................................................................................181

9.5 Configuration Examples.................................................................................................................................1839.5.1 Example for Configuring User Services in Immediate Configuration Validation Mode......................183



vii

9.5.2 Example for Configuring Services When Configurations Have Been Locked by Another User in Two-Phase Configuration Validation Mode...........................................................................................................1849.5.3 Example for Multiple Users to Configure a Same Service in Two-Phase Configuration Validation Mode........................................................................................................................................................................1869.5.4 Example for Multiple Users to Configure a Service in Two-Phase Configuration Validation Mode........................................................................................................................................................................1879.5.5 Example for Configuring Different Services by Multiple Users in Two-Phase Configuration ValidationMode...............................................................................................................................................................1899.5.6 Example for Managing Configuration Files..........................................................................................191

10 File System Management.......................................................................................................19310.1 File System Overview..................................................................................................................................19410.2 File System Supported by the NE5000E......................................................................................................19410.3 Managing the Directory................................................................................................................................19410.4 Managing Files.............................................................................................................................................19510.5 Configuration Examples...............................................................................................................................197

10.5.1 Example for Managing a Directory.....................................................................................................19710.5.2 Example for Managing Files...............................................................................................................198

11 Clock Synchronization Configuration................................................................................20011.1 Clock Synchronization Overview.................................................................................................................20111.2 Clock Synchronization Features Supported by the NE5000E(NE5000E-X16)...........................................20211.3 Configuring an External BITS Clock Reference Source..............................................................................206

11.3.1 Configuring an External Clock Reference Source for the router and the Clock Signal Type.............20711.3.2 Configuring a Mapping from an External Clock Reference Source to the Index of a User Clock Sourcefor the router...................................................................................................................................................20711.3.3 Checking the Configuration.................................................................................................................208

11.4 Specifying a Clock Source Manually...........................................................................................................20911.5 Configuring Automatic Clock Source Selection to Be Based on Priorities.................................................210

11.5.1 Configuring the System to Automatically Select a Clock Source.......................................................21111.5.2 Configuring Clock Source Selection Not to Be Based on SSM Levels..............................................21211.5.3 Setting the Priority of a Clock Source.................................................................................................21211.5.4 Checking the Configuration.................................................................................................................213

11.6 Configuring Automatic Clock Source Selection to Be Based on SSM Levels............................................21411.6.1 Configuring the System to Automatically Select a Clock Source.......................................................21511.6.2 Configuring Clock Source Selection to Be Based on SSM Levels.....................................................21611.6.3 (Optional) Setting the SSM Level of a 2.048 MHz BITS Clock Source.............................................21611.6.4 Configuring SA Timeslots in 2.048 Mbit/s BITS Clock Source Signals to Bear SSM Levels...........21711.6.5 Checking the Configuration.................................................................................................................218

11.7 Configuration Examples...............................................................................................................................21911.7.1 Example for Configuring Protection Switching Among Clock Sources.............................................219



viii

1 Logging In to the System for the First Time

About This Chapter

To configure a new device, the device must be logged in to the console port.

1.1 Overview of Logging In to the System for the First TimeUser can log in to a device that is powered on for the first time only through the console port.Other login modes can be configured after the user logged in to the device for the first time.

1.2 Logging In to the router Through the Console PortA terminal can be connected to the console port on the router to establish the configurationenvironment.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - Basic Configurations 1 Logging In to the System for the First Time


1

1.1 Overview of Logging In to the System for the First TimeUser can log in to a device that is powered on for the first time only through the console port.Other login modes can be configured after the user logged in to the device for the first time.

The console port is a linear port on the main control board. Each main control board providesone console port that conforms to the EIA/TIA-232 standard. The console port is a type of DataConnection Equipment (DCE) interface. Users can directly connect a serial interface from aterminal to the console port to configure the device.

The console port has the following states:

l Connected: The console port is being connected.

l Disconnected: The console port is disconnected.

1.2 Logging In to the router Through the Console PortA terminal can be connected to the console port on the router to establish the configurationenvironment.

Applicable Environment

When the router is powered on for the first time, you must use the console port to log in to therouter to configure and manage the router.

Pre-configuration Tasks

Before logging in to the router through the console port, complete the following tasks:

l Preparing a PC or a terminal, including a serial interface and an RS-232 cable

l Installing a terminal emulator on the PC, such as Windows XP HyperTerminal

Configuration Procedures

Figure 1-1 Logging in to the router through the console port

Establish a physical connection

Log in to the device

Mandatory procedureOptional procedure



2

1.2.1 Logging In to the router Through the Console PortA terminal can be connected to the console port on the router to establish the configurationenvironment.


When the router is powered on for the first time, you must use the console port to log in to therouter to configure and manage the router.


Before logging in to the router through the console port, complete the following tasks:

l Preparing a PC or a terminal, including a serial interface and an RS-232 cable

l Installing a terminal emulator on the PC, such as Windows XP HyperTerminal


Figure 1-2 Logging in to the router through the console port

Establish a physical connection

Log in to the device


1.2.2 Logging In to the routerYou can use a PC (connected to the console port on the router) to log in to the router that ispowered on for the first time to configure and manage the router.

Context

Configure physical attributes for the PC according to the attributes configured for the consoleport on the router, including the transmission rate, data bits, parity bit, stop bits, and flow controlmode. As the router is logged in for the first time, terminal attributes use the default values.

Procedure

Step 1 Start a terminal emulator (such as HyperTerminal of Windows XP) on the PC to establish aconnection. Follow the instructions as shown in Figure 1-3 and click OK.



3

Figure 1-3 Establishing a connection

Step 2 Set the COM port. Follow the instructions as shown in Figure 1-4 and click OK.

Figure 1-4 Setting the COM port

Step 3 Set communication parameters for the COM port to the default values of the router, as shownin Figure 1-5 and click OK.



4

Figure 1-5 Setting communication parameters

A command prompt such as <HUAWEI> appears, the user view is displayed, and you can startthe configuration on the HUAWEI device.

In the user view, configure the device or check its operating status, or enter a question mark (?)for online help.

----End



5

2 Configure the User Interface

About This Chapter

When a user logs in to the router through the console port or using Telnet or Secure Shell (SSH),the system uses a corresponding user interface to manage and monitor the session between therouter and the user.

2.1 User Interface OverviewThe system supports console and Virtual Type Terminal (VTY) user interfaces.

2.2 Configuring the Console User InterfaceThe console user interface manages and monitors users logging in to a device through the consoleport.

2.3 Configuring VTY User InterfacesVTY user interfaces manage and monitor users logging in to the device by using VTY.

2.4 Configuration ExamplesThis section provides examples for configuring console and VTY user interfaces. Theseexamples explain networking requirements, configuration roadmap, and configuration notes.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - Basic Configurations 2 Configure the User Interface


6

2.1 User Interface OverviewThe system supports console and Virtual Type Terminal (VTY) user interfaces.

Users can log in to a device to configure, monitor, and maintain local or remote network devicesonly after user interfaces, user management, and terminal services are configured. Userinterfaces provide the login entrance. User management ensures login security. Terminalservices offer login protocols.

Each user interface has a corresponding user interface view. A network administrator canconfigure a set of parameters in a user interface view to determine whether authentication isrequired and the level of logged in users. This allows uniform management of various usersessions.

Currently, the following user interfaces are supported:l Console: manages and monitors users logging in through the console port.

The type of the console port is EIA/TIA-232 DCE.l VTY: manages and monitors users logging in using VTY.

A VTY connection is set up when a user uses Telnet or SSH to log in to the device. Amaximum of 18 users can log in to the device by using VTY.

NOTE

A user using different login modes to log in is allocated different user interfaces. A user logging in severaltimes using the same way may be allocated different user interfaces.

User Interface Numbering

After a user logs in to a device, the system allocates an idle user interface with the smallestnumber to the user based on the login mode of the user. The login process is restricted by theconfigurations for the user interface.

User interface can be numbered in the following manners:

l Relative numberingThe relative numbering uniquely specifies a user interface or a group of user interfaces ofthe same type.The numbering format is user interface type + number, adhering to the following rules:

– Console port numbering: CON0.

– VTY user interface numbering: The first VTY is 0, the second VTY is 1, and so on.l Absolute numbering

The absolute numbering uniquely specifies a user interface or a group of user interfaces.The number starts with 0, increasing by 1. The console port is numbered before VTY userinterfaces.There are 20 consoles and 18 VTY user interfaces. You can run the user-interfacemaximum-vty command in the system view to set the maximum number of VTY userinterfaces. The default value is 5.Table 2-1 shows the default absolute numbers of the console and VTY user interfaces.Numbers 1 to 32 are reserved for TTY user interfaces.



7

Table 2-1 Example of absolute numbers for user interfaces

Absolute Number User Interface

0 CON0

34 VTY0: the first VTY

35 VTY1: the second VTY

36 VTY2: the third VTY

37 VTY3: the fourth VTY

38 VTY4: the fifth VTY

Authentication for User Interfaces

After authentication mode is configured for a user interface, the system authenticates users tolog in through this user interface. Authentication modes are as follows:

l No-authentication: Users can log in to the device without entering user names or passwords.This mode is insecure and is not recommended.

l Password authentication: Users need to enter passwords but not user names for login.

l AAA authentication: Users must enter both user names and passwords for login. If eithera user name or a password is incorrect, the login fails. Telnet users are usually authenticatedin AAA mode.

User Priorities for User Interfaces

Users log in to the device are managed based on the user levels. Like command levels, users areclassified into 18 levels from 0 to 17. The greater the value, the higher the user level.

The level of commands that a user can use is determined by the user level.

l If no-authentication or password authentication is configured, the level of commands thata user can use depends on the level of the user interface through which the user logs in.

l If AAA authentication is configured, the level of commands that a user can use dependson the local user priority specified in the AAA configuration.

2.2 Configuring the Console User InterfaceThe console user interface manages and monitors users logging in to a device through the consoleport.


If you need to log in to a device through the console port for local maintenance, configure theconsole user interface, including the physical attributes, terminal attributes, user priority, anduser authentication mode. Configure parameters based on the use and security requirements.



8

Pre-configuration TasksBefore configuring the console user interface, complete the following task:

l Logging In to the router Through the Console Port

Configuration ProceduresChoose one or more configuration tasks (excluding "Checking the Configuration") as needed.

2.2.1 Configuring Physical Attributes for the Console User InterfacePhysical attributes of the console user interface include the baud rate, flow control mode, paritybit, stop bits, and data bits for the console port.

ContextWhen a user logs in a device through the console port, physical attributes set on theHyperTerminal for the console port must be consistent with the attributes of the console userinterface on the device. Otherwise, the user cannot log in to the device.

Procedure

Step 1 Run:system-view

The system view is displayed.

Step 2 Run:user-interface console ui-number

The console user interface is displayed.

Step 3 Run:speed line-speed

The transmission rate is set.

The value can be 300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, or 115200, in bit/s.By default, the value is 9600.

Step 4 Run:flow-control { hardware | none | software }

The flow control mode is set.

By default, the value is none.

The none mode indicates that the flow control function does not take effect on the console port.

Step 5 Run:parity { even | mark | none | odd | space }

The parity bit is set.

By default, the value is none.

Step 6 Run:stopbits { 1.5 | 1 | 2 }



9

The stop bits are set.

By default the value is 1.

Step 7 Run:databits { 5 | 6 | 7 | 8 }

The data bits are set.

By default, the value is 8.

Step 8 Run:commit

The configuration is committed.

----End

2.2.2 Configuring Terminal Attributes for the Console UserInterface

Terminal attributes of the console user interface include the timeout period of an idle connection,number of lines displayed on a terminal screen, and buffer size for previously used commands.

Procedure




The console user interface view is displayed.

Step 3 Run:shell

The terminal service is started.

Step 4 Run:idle-timeout minutes [ seconds ]

The timeout period is set.

By default, idle timeout period on the user interface is 10 minutes.

Step 5 Run:screen-length screen-length

Screen length of the console terminal is set.

By default, the length of a terminal screen is 24 rows.

Step 6 Run:screen-width screen-width

Screen width of the console terminal is set.



10

By default, the value is 80.

Step 7 Run:history-command max-size size-value

The buffer of the history command is set.

By default, the size of history command buffer on a user interface is 10 entries.

Step 8 Run:commit


----End

2.2.3 Configuring the User Priority for the Console User InterfaceYou can set user priorities for user interfaces to manage users based on their levels. This sectiondescribes how to set the user priority for the console user interface.

ContextUser levels correspond to command levels. User can use commands of the corresponding levelor lower after log in to the system.

Procedure





Step 3 Run:user privilege level level

The user priority is set.

By default, users logging in through the console user interface can use commands at level 3, andusers logging in through other user interfaces can use commands at level 0.

NOTE

If the user priority configured for the user interface and the user priority configured for the user conflict,the user level takes precedence.For example, user 001 can use commands at level 3, and the user level configured in the user interfaceview Console 0 for the user is 2. After user 001 logs in through Console 0, the user can use commands atlevel 3 or lower.

Step 4 Run:commit


----End



11

2.2.4 Configuring Authentication for the Console User InterfaceThe system provides three authentication modes: AAA, password authentication, and no-authentication. Configuring authentication improves system security.

Procedurel Configure AAA authentication.

1. Run:system-view

The system view is displayed.2. Run:

user-interface console ui-number

The console user interface view is displayed.3. Run:

authentication-mode aaa

The authentication mode is set to AAA.4. Run:

quit

Exit from the console user interface.5. Run:

aaa

The AAA view is displayed.6. Run:

local-user user-name password { simple | cipher } password

The user name and password is set.

– If the password is in the form of simple, the password must be in the plain text.– If the password is in the form of cipher, the password can be either in the encrypted

text or in the plain text. The result is determined by the input.7. Run:

commit

The configuration is committed.l Configure password authentication.

1. Run:system-view


user-interface console ui-number

The console user interface view is displayed.3. Run:

authentication-mode password

Password authentication is set.



12

4. Run:set authentication password { cipher | simple } password

Authentication password is set.

– If the password is in the form of simple, the password must be in the plain text.

– If the password is in the form of cipher, the password can be either in the encryptedtext or in the plain text. The result is determined by the input.

5. Run:commit


l Configure no-authentication.

1. Run:system-view


2. Run:user-interface console ui-number


3. Run:authentication-mode none

No-authentication is set.

4. Run:commit


----End

2.2.5 Checking the ConfigurationAfter configuring the console user interface, you can view user login information about the userinterface, physical attributes and configurations of the user interface, the local user list, andonline users.

PrerequisiteThe configurations of the console user interface are complete.

Procedurel Run the display users [ all ] command to check user login information about user interfaces.

l Run the display user-interface console 0 command to check physical attributes andconfigurations of the user interface.

l Run the display local-user command to check the local user list.

l Run the display access-user command to check information about logged-in users.

----End



13

ExampleRun the display users command to view user login information about the current user interface.<HUAWEI> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 0 CON 0Username : Unspecified+ 258 VTY 0 00:00:00 TEL 10.164.6.15 pass noUsername : Unspecified 259 VTY 1Username : Unspecified

Run the display user-interface console 0 command to view physical attributes andconfigurations of the user interface.

<HUAWEI> display user-interface console 0Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int 0 CON 0 9600 - 3 - N - 1 CON 0 9600 - 3 - N - + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.

Run the display local-user command to view the local user list.

<HUAWEI> display local-user ---------------------------------------------------------------------------- Username State Type Online ---------------------------------------------------------------------------- user123 Active All 0 ll Active F 0 user1 Active F 0 ---------------------------------------------------------------------------- Total 3,3 printed

Run the display access-user command to view information about logged-in users.<HUAWEI> display access-user ----------------------------------------- User-name domain-name userid ----------------------------------------------- root default 1 abcd default 2 ----------------------------------------------- Total users : 2 Wait authen-ack : 0 Authentication success : 2

2.3 Configuring VTY User InterfacesVTY user interfaces manage and monitor users logging in to the device by using VTY.

Applicable EnvironmentIf you need to log in to a device for local or remote configuration and maintenance by usingTelnet or SSH, configure VTY user interfaces, including the maximum number of VTY userinterfaces, limit on incoming and outgoing calls, terminal attributes, user priority, and userauthentication mode. Configure parameters based on the user and security requirements.



14

Pre-configuration TasksBefore configuring VTY user interfaces, complete the following task:

l Logging In to the router Through the Console Port

Configuration ProceduresChoose one or more configuration tasks (excluding "Checking the Configuration") as needed.

2.3.1 Configuring the Maximum Number of VTY User InterfacesConfiguring the maximum number of VTY user interfaces limits the number of simultaneouslogin users.

ContextThe maximum number of VTY user interfaces is the total number of users that use Telnet andSSH to log in.

CAUTIONIf the maximum number of VTY user interfaces is set to zero on a device, no user can log in tothe device.

Procedure



Step 2 Run:user-interface maximum-vty number

The maximum number of VTY user interfaces is set.

l If the configured maximum number is smaller than the original, logged in users are notaffected and no additional configuration is needed.

l If the configured maximum number is greater than the original, configure the authenticationmode and password for additional users. The system uses password authentication toauthenticate users logging in through newly-added user interfaces.For example, run the authentication-mode and set authentication password commands toincrease allowed login users to 18 from 5.<HUAWEI> system-view[~HUAWEI] user-interface maximum-vty 18[~HUAWEI] user-interface vty 5 17[~HUAWEI-ui-vty5-17] authentication-mode password[~HUAWEI-ui-vty5-17] set authentication password cipher huawei

Step 3 Run:commit



15


----End

2.3.2 Configuring the Limit on Incoming and Outgoing Calls forVTY User Interfaces

An Access Control List (ACL) can be configured to limit incoming and outgoing calls for VTYuser interfaces.

ContextAn ACL can be configured to either allow or deny Telnet connections based on source ordestination IP addresses:l A basic ACL, with number ranging from 2000 to 2999, controls Telnet connections based

on source IP addresses.l An advanced ACL, with number ranging from 3000 to 3999, controls Telnet connections

based on both source and destination IP addresses.

Before configuring the limit on incoming and outgoing calls for VTY user interfaces, run theacl command in the system view to create an ACL and enter the ACL view. Then, run therule command to add rules to the ACL.

Procedure



Step 2 Run:user-interface vty first-ui-number [ last-ui-number ]

A VTY user interface view is displayed.

Step 3 Run:acl acl-number | name acl-name { inbound | outbound }

The limit on incoming and outgoing calls is set for the VTY user interface.

l Choose inbound if users at a specified IP address or within a specified address range areeither allowed to log in to the device or prohibited from logging in to the device.

l Choose outbound if logged-in users are either allowed to log in to other devices or prohibitedfrom logging in to other devices.

Step 4 Run:commit


----End

2.3.3 Configuring Terminal Attributes for VTY User InterfacesTerminal attributes of VTY user interfaces include the timeout period of an idle connection,number of rows displayed on a terminal screen, and buffer size for previously-used commands.



16

Procedure





Step 3 Run:shell

The VTY terminal service is enabled.

Step 4 Run:idle-timeout minutes [ seconds ]

The timeout period of an idle connection is set.

If the connection is idle within the timeout period, the system automatically terminates theconnection when the timeout period expires.

By default, the timeout period is 10 minutes.

Step 5 Run:screen-length screen-length

The number of rows displayed on a terminal screen is set.

By default, a terminal screen displays 24 rows.

Step 6 Run:history-command max-size size-value

The buffer size is set for previously-used commands.

By default, a maximum of 10 previously-used commands can be cached in the buffer.

Step 7 Run:commit


----End

2.3.4 Configuring the User Priority for a VTY User InterfaceTo improve security, user priorities can be set for user interfaces to manage users based on theirlevels. This section describes how to set a user priority for a VTY user interface.

Context

User levels correspond to command levels. User can use commands of the corresponding levelor lower after log in to the system.



17

Procedure





Step 3 Run:user privilege level level

The user priority is set.

By default, users logging in from a VTY user interface can use commands at level 0.

NOTE

If the user priority configured for the user interface and the user priority configured for the user conflict,the user level takes precedence.

For example, a user can use commands at level 3, and the user level configured in the user interface viewVTY0 for the user is 2. After the user logs in through VTY0, the user can use commands at level 3 or lower.

Step 4 Run:commit


----End

2.3.5 Configuring Authentication for a VTY User InterfaceThe system provides three authentication modes: AAA, password authentication, and no-authentication. Configuring authentication improves system security.

Procedurel Configure AAA authentication.

1. Run:system-view


user-interface vty first-ui-number [ last-ui-number ]

A VTY user interface view is displayed.3. Run:

authentication-mode aaa

Authentication mode is set to AAA.4. Run:

commit




18

5. Run:quit

Exit from the VTY user interface view.6. Run:

aaa

The AAA view is displayed.7. Run:

local-user user-name password { simple | cipher } password




commit

The configuration is committed.l Configure password authentication.

1. Run:system-view




authentication-mode password

Authentication mode is set to password authentication.4. Run:

set authentication password { cipher | simple } password

Local authentication password is set.



commit

The configuration is committed.l Configure no-authentication.

1. Run:system-view





19


authentication-mode none

Authentication mode is set to no-authentication.4. Run:

commit


----End

2.3.6 Checking the ConfigurationAfter configuring the VTY user interfaces, you can view user login information about the VTYuser interfaces, the maximum number of the VTY user interfaces, and the physical attributesand configuration of the VTY user interfaces.

PrerequisiteThe configuration of VTY user interfaces are complete.

Procedurel Run the display users [ all ] command to check user login information about user interfaces.l Run the display user-interface maximum-vty command to check the configured

maximum number of VTY user interfaces.l Run the display user-interface vty ui-number command to check physical attributes and

configuration of the user interface.l Run the display local-user command to check the local user list.l Run the display vty mode command to check the VTY mode.

----End


Run the display user-interface maximum-vty command to view the configured maximumnumber of VTY user interfaces.

<HUAWEI> display user-interface maximum-vty Maximum of VTY user:15

Run the display user-interface vty command to view the configured user interface information.

<HUAWEI> display user-interface vtyIdx Type Tx/Rx Modem Privi ActualPrivi Auth Int+ 34 VTY 0 - 15 15 N - + : Current UI is active. F : Current UI is active and work in async mode.



20

Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.


Run the display vty mode command to view the configured VTY mode. For example:

<HUAWEI> display vty modecurrent VTY mode is Human-Machine interface

2.4 Configuration ExamplesThis section provides examples for configuring console and VTY user interfaces. Theseexamples explain networking requirements, configuration roadmap, and configuration notes.

2.4.1 Example for Configuring the Console User InterfaceIn this configuration example, the physical attributes, terminal attributes, user priority, userauthentication mode, and password are set for the console user interface. This allows users tolog in to a device through the console port in password authentication mode.

Networking RequirementsTo initialize the configurations of a new device or locally maintain the device, the device mustbe logged in to through the console user interface. Attributes are set for the console user interfacebased on user and security requirements.

Configuration NotesBy default, terminal services are enabled on all user interfaces. If terminal services are disabled,use Telnet to log in to the system through the console port and run the shell command to enableterminal services.

Configuration RoadmapThe configuration roadmap is as follows:

1. Configure physical attributes for the console user interface.2. Configure terminal attributes for the console user interface.3. Set the user priority.



21

4. Set the user authentication mode and password.

NOTE

The user name and password do not have default values. Other parameters have default values, which arerecommended.

Data Preparation

To complete the configuration, you need the following data:

l Transmission rate of a connection: 4800 bit/sl Flow control mode: nonel Parity bit: evenl Stop bits: 2l Data bits: 6l Timeout period of an idle connection: 30 minutesl Number of lines displayed on a terminal screen: 30l Buffer size for previously-used commands: 20l User priority value: 15l User authentication mode: password (password is huawei)

Procedure

Step 1 Configure physical attributes for the console user interface.<HUAWEI> system-view[~HUAWEI] user-interface console 0[~HUAWEI-ui-console0] speed 4800[~HUAWEI-ui-console0] flow-control none[~HUAWEI-ui-console0] parity even[~HUAWEI-ui-console0] stopbits 2[~HUAWEI-ui-console0] databits 6[~HUAWEI-ui-console0] commit

Step 2 Configure terminal attributes for the console user interface.[~HUAWEI-ui-console0] shell[~HUAWEI-ui-console0] idle-timeout 30[~HUAWEI-ui-console0] screen-length 30[~HUAWEI-ui-console0] history-command max-size 20[~HUAWEI-ui-console0] commit

Step 3 Set a user priority for the console user interface.[~HUAWEI-ui-console0] user privilege level 15[~HUAWEI-ui-console0] commit

Step 4 Configure password authentication for the console user interface.[~HUAWEI-ui-console0] authentication-mode password[~HUAWEI-ui-console0] set authentication password simple huawei[~HUAWEI-ui-console0] commit[~HUAWEI-ui-console0] quit

After the console user interface has been configured, users can log in to the device through theconsole port in password authentication mode. For information about how to log in to the systemthrough the console port, see 3.2 Logging In to the System Through the Console Port.

Step 5 Verify the configuration.



22

After completing the configurations, run the display_user-interface command to view theconfiguration of Console 0.

<HUAWEI> display user-interface 0Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int+0 CON 0 9600 - 3 - N -+ : Current user-interface is active.F : Current user-interface is active and work in async mode.Idx : Absolute index of user-interface.Type : Type and relative index of user-interface.Privi : The privilege of user-interface.ActualPrivi : The actual privilege of user-interface.Auth : The authentication mode of user-interface.A : Authenticate use AAA.N : Current user-interface need not authentication.P : Authenticate use current UI's password.Int : The physical location of UIs.

----End

Configuration Files# sysname HUAWEI#user-interface con 0 authentication-mode password user privilege level 15 set authentication password simple huawei history-command max-size 20 idle-timeout 30 0 databits 6 parity even stopbits 2 speed 4800 screen-length 30#adminreturn

2.4.2 Example for Configuring VTY User InterfacesIn this configuration example, the maximum number of VTY user interfaces, limit on incomingand outgoing calls, terminal attributes, authentication mode, and password are set. This allowsusers to use Telnet or SSH (Stelnet) to log in to a device in password authentication mode.

Networking Requirements

If you need to log in to a device for local or remote configuration and maintenance by usingTelnet or SSH, configure VTY user interfaces, including the maximum number of VTY userinterfaces, limit on incoming and outgoing calls, terminal attributes, user priority, and userauthentication mode. Configure parameters based on the user and security requirements.

Configuration Roadmap

The configuration roadmap is as follows:

1. Set the maximum number of VTY user interfaces.2. Configure the limit on incoming and outgoing calls for VTY user interfaces.3. Configure terminal attributes for VTY user interfaces.



23

4. Set user priorities for VTY user interfaces.5. Configure the authentication mode and password for the VTY user interface.

Data PreparationTo complete the configuration, you need the following data:

l Maximum number of VTY user interfaces: 18l Number of the ACL applied to limit incoming calls on the VTY user interface: 2000l Timeout period of an idle connection: 30 minutesl Number of lines displayed on a terminal screen: 30l Buffer size for previously-used commands: 20l User priority: 15l User authentication mode: password (password is huawei)

NOTE

The ACL number for limiting incoming and outgoing calls in VTY user interfaces, password, and user namedo not have default values. Other parameters have default values, which are recommended.

Procedure

Step 1 Set the maximum number of VTY user interfaces.<HUAWEI> system-view[~HUAWEI] user-interface maximum-vty 18[~HUAWEI] commit

Step 2 Configure the limit on incoming and outgoing calls for VTY user interfaces.[~HUAWEI] acl 2000[~HUAWEI-acl-basic-2000] rule deny source 10.1.1.1 0[~HUAWEI-acl-basic-2000] quit[~HUAWEI] user-interface vty 0 17[~HUAWEI-ui-vty0-17] acl 2000 inbound[~HUAWEI-ui-vty0-17] commit

Step 3 Configure terminal attributes for VTY user interfaces.[~HUAWEI-ui-vty0-17] shell[~HUAWEI-ui-vty0-17] idle-timeout 30[~HUAWEI-ui-vty0-17] screen-length 30[~HUAWEI-ui-vty0-17] history-command max-size 20[~HUAWEI-ui-vty0-17] commit

Step 4 Set user priorities for VTY user interfaces.[~HUAWEI-ui-vty0-17] user privilege level 15[~HUAWEI-ui-vty0-17] commit

Step 5 Configure the authentication mode and password for VTY user interfaces.[~HUAWEI-ui-vty0-17] authentication-mode password[~HUAWEI-ui-vty0-17] set authentication password simple huawei[~HUAWEI-ui-vty0-17] commit[~HUAWEI-ui-vty0-17] quit

After a VTY user interface is configured, a user can use Telnet or SSH to log in to the device inpassword authentication mode to maintain the device locally or remotely. For information abouthow to use Telnet or SSH to log in to a device, see 3.3 Logging In to the System by UsingTelnet or 3.4 Logging In to the System by Using STelnet.




24

After completing the configurations, run the display user-interface command to view theconfigurations of VTY user interfaces.

Use VTY14 as an example:

[~HUAWEI] display user-interface vty 14 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int+ 34 VTY 14 - 15 15 password - + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.

----End

Configuration Files# sysname HUAWEI#user-interface maximum-vty 18#acl number 2000 rule 5 deny source 10.1.1.1 0 #user-interface vty 0 17 user privilege level 15 set authentication password simple huawei history-command max-size 20 idle-timeout 30 0 screen-length 30 acl 2000 inbound#adminreturn



25

3 Configuring User Login

About This Chapter

A user can log in to a device by using the console port, Telnet, or SSH (STelnet) to maintain thedevice locally or remotely.

3.1 User Login OverviewUsers can log in to devices by using the console port, Telnet, or STelnet.

3.2 Logging In to the System Through the Console PortTo configure a device that is powered on for the first time or locally maintain the device, log into the device through the console port.

3.3 Logging In to the System by Using TelnetTelnet allows users to log in to remote devices to manage and maintain the devices.

3.4 Logging In to the System by Using STelnetSTelnet based on SSH2 provides secure remote access over an insecure network.

3.5 Configuration ExamplesThis section provides configuration examples for logging in to the system through the consoleport or by using Telnet or STelnet. These configuration examples explain networkingrequirements, configuration roadmap, and precautions.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - Basic Configurations 3 Configuring User Login


26

3.1 User Login OverviewUsers can log in to devices by using the console port, Telnet, or STelnet.

Users can log in to devices to configure, monitor, and maintain the devices locally or remotelyonly after user interfaces, user management, and terminal services have been configured.

User interfaces provide the login entrance. User management ensures login security. Terminalservices offer login protocols.

Users can log in by using any of the login modes listed in Table 3-1 to configure and managethe router.

Table 3-1 User login modes

Login Mode Application

Logging In to theSystem Through theConsole Port

Users log in through the console port to configure a device locally.This login mode is required when a device is powered on for thefirst time.

Logging In to theSystem by UsingTelnet

Users log in by using Telnet to maintain a device locally orremotely. Telnet helps users maintain remote devices but bringssecurity threats.

Logging In to theSystem by UsingSTelnet

STelnet provides protection for users logging in to a device tomaintain the device locally or remotely.

Console Port OverviewFor information about the console port, see Overview of Logging In to the System for theFirst Time.

Telnet OverviewTelnet is an application layer protocol in the TCP/IP protocol suite. Telnet provides remote loginand virtual terminal services. The NE5000E provides the following Telnet services:

l Telnet server: A user runs the Telnet client program on a PC to log in to the router toconfigure and manage the router. The router functions as a Telnet server.

l Telnet client: After using the terminal emulator or Telnet client program on a PC to connectto the router, a user runs the telnet command to log in to another device for configurationand management. The router functions as a Telnet client. In Figure 3-1, the CE functionsas both a Telnet server and a Telnet client.



27

Figure 3-1 Telnet server providing the Telnet client service

PC CE PETelnet server

Telnet session 1 Telnet session 2

l Telnet service interruption

Figure 3-2 Usage of Telnet shortcut keys

P2 P3Telnet server

P1Telnet client


Two pairs of shortcut keys can be used to interrupt Telnet connections. As shown in Figure3-2, P1 uses Telnet to log in to P2 and then to P3. P1 is the Telnet client of P2. P2 is theTelnet client of P3. The usage of shortcut keys is described as follows:– Ctrl_]: Instructs the server to disconnect a Telnet connection.

If the shortcut keys Ctrl_] are used when the network works properly, the Telnet serverinterrupts the current Telnet connection.For example, enter Ctrl_] on P3, and the P2 prompt is displayed.<P3> Select Ctrl_] to return to the prompt of P2The connection was closed by the remote host.<P2> Select Ctrl_] to return to the prompt of P1<P2> Ctrl_]The connection was closed by the remote host.<P1>

NOTE

If the network connection is disconnected, shortcut keys do not take effect.

– Ctrl_K: Instructs the client to disconnect the connection.When the server fails and the client is unaware of the failure, the server does not respondto the client for input. In this case, if you select Ctrl_K, the Telnet client interrupts theconnection and quits the Telnet connection.For example, select Ctrl_K on P3 to quit the Telnet connection.<P3> Select Ctrl_K to abort<P1>



28

CAUTIONWhen the number of remote login users reaches the maximum number of VTY userinterfaces, the system prompts subsequent users with a message, indicating that all userinterfaces are in use and no more Telnet connections are allowed.

STelnet OverviewNOTE

Currently, a device running SSH1 or SSH2 can function as an SSH server. Only devices running SSH2can function as SSH clients. STelnet is based on SSH2. When the client and the server set up a secureconnection after negotiation, the client can log in to the server in the same way as using Telnet.

Logins using Telnet add security risks because Telnet does not provide any secure authenticationmechanism and data is transmitted using TCP in plain text. Telnet connections are vulnerableto Denial of Service (DoS) attacks, IP address spoofing, and route spoofing.

SSH provides secure remote access on an insecure network by supporting the followingfunctions:

l Remote Subscriber Access (RSA) authentication: Public and private keys are generatedaccording to the encryption principle of the asymmetric encryption system to implementsecure key exchange and ensure a secure session.

l Data encryption standards: Data Encryption Standard (DES), 3DES, and AdvancedEncryption Standard (AES).

l User name and password encryption: This prevents the user name and password from beingintercepted during the communication between the client and the server.

l Encryption of transmitted data

A device serving as an SSH server can accept connection requests from multiple SSH clients.The device can also serve as an SSH client, helping users establish SSH connections with anSSH server. This allows users to use SSH to log in to remote devices from the local device.

l Local connectionAs shown in Figure 3-3, an SSH channel is established for a local connection.

Figure 3-3 Establishing an SSH channel on a local area network (LAN)

PC running SSH ClientPC

Server

LapTopServer

Ethernet 100BASE-TX



29

l Wide area network (WAN) connectionAs shown in Figure 3-4, an SSH channel is established for a connection on a WAN.

Figure 3-4 Establishing an SSH channel on a WAN

PC running SSH Client

WAN

Local LANRouter

SSH Router

Remote LAN

PC

3.2 Logging In to the System Through the Console PortTo configure a device that is powered on for the first time or locally maintain the device, log into the device through the console port.

Applicable EnvironmentA device can be logged in to only through the console port when the device is powered on forthe first time.

Pre-configuration TasksBefore logging in to the system through the console port, complete the following tasks:

l Preparing a PC or a terminal, including a serial interface and an RS-232 cablel Installing a terminal emulator on the PC, such as Windows XP HyperTerminal


Figure 3-5 Logging in to the system through the console port

Configure the console user interface

Log in to the system through the console port


3.2.1 Configuring the Console User InterfaceTo allow users to log in to the system through the console port, configure attributes for theconsole user interface.



30

ContextIf you need to log in to a device through the console port for local maintenance, configure theconsole user interface, including the physical attributes, terminal attributes, user priority, anduser authentication mode. Configure parameters based on the use and security requirements.

For configurations of the console user interface, see Configuring the Console UserInterface.

3.2.2 Logging In to the System Through the Console PortUsers can connect a terminal to the console port on a device, and then log in to the device.

ContextNOTE

l Communication parameters of the user terminal must be consistent with the physical attributes of theconsole user interface on the device.

l After a user authentication mode is specified in the console user interface, a user can log in to the deviceonly after authentication succeeds. This enhances network security.

For information about logging in to the system through the console port, see Logging In to therouter Through the Console Port.

3.2.3 Checking the ConfigurationAfter logging in to the system through the console port, you can view information about theconsole user interface, such as the usage, physical attributes and configurations, local user list,and logged-in users.

PrerequisiteConfigurations of user login through the console port are complete.

Procedurel Run the display users [ all ] command to check user login information about user interfaces.l Run the display user-interface console 0 command to check physical attributes and

configurations of the user interface.l Run the display local-user command to check the local user list.l Run the display access-user command to check information about logged-in users.

----End


Run the display user-interface console 0 command to view physical attributes andconfigurations of the user interface.



31

<HUAWEI> display user-interface console 0Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int 0 CON 0 9600 - 3 - N - 1 CON 0 9600 - 3 - N - + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.

Run the display local-user command to view the local user list.

<HUAWEI> display local-user ---------------------------------------------------------------------------- Username State Type Online ---------------------------------------------------------------------------- user123 Active All 0 ll Active F 0 user1 Active F 0 ---------------------------------------------------------------------------- Total 3,3 printed


3.3 Logging In to the System by Using TelnetTelnet allows users to log in to remote devices to manage and maintain the devices.


If one or more devices need to be configured and managed, you do not need to connect each ofthe devices to a terminal to maintain the devices locally. If you have obtained the IP address ofa device and logged in to the device before, you can use Telnet to log in to the device to remotelyconfigure the device. This allows you to maintain multiple devices on one terminal, greatlyfacilitating device management.

NOTE

The IP address of a device needs to be preset through the console port.


Before using Telnet to log in to the system, complete the following task:

l Configuring a route between a terminal and a device



32


Figure 3-6 Logging in to the system by using Telnet

Configure VTY user interfaces

Configure local Telnet users

Use Telnet to log in to the system from terminals

Enable the Telnet server function

Configure the listening port number of the Telnet server


3.3.1 Configuring VTY User InterfacesIf you need to use Telnet or SSH to log in to a device to locally or remotely maintain the device,configure VTY user interfaces based on user and security requirements.

Context

The default user authentication mode for VTY user interfaces is password authentication. Beforeusing Telnet or SSH to log in to a device, configure a user authentication mode for VTY userinterfaces. Otherwise, you cannot log in to the device.

NOTE

Authentication mode can be configured for VTY user interfaces by logging in to a device through theconsole port.

For configurations about VTY user interfaces, see Configuring VTY User Interfaces.

3.3.2 (Optional) Configuring Local Telnet UsersIf the user authentication mode of VTY user interfaces is no-authentication or passwordauthentication, the following configuration is not required.

Context

By default, a local user can use any access type. After the user access mode has been specified,only users using the specified access mode can log in to the system.



33

Procedure



Step 2 Run:aaa

The AAA view is displayed.

Step 3 Run:local-user user-name password { simple | cipher } password


l If the password is in the form of simple, the password must be in the plain text.l If the password is in the form of cipher, the password can be either in the encrypted text or

in the plain text. The result is determined by the input.

Step 4 Run:local-user user-name service-type Telnet

The access mode of local users is set to Telnet.

Step 5 Run:commit


----End

3.3.3 Enabling the Telnet Server FunctionThe Telnet server can be connected only after the Telnet server function has been enabled.

Choose either of the following steps based on the network protocol:

Procedurel IPv4:

1. Run:system-viewThe system view is displayed.

2. Run:telnet server enableThe Telnet server function is enabled.

3. Run:commitThe configuration is committed.

l IPv6:

1. Run:system-view



34


telnet ipv6 server enable

The Telnet server function is enabled.3. Run:

commit


NOTE

l If the undo telnet [ ipv6 ] server enable command is run to disable the Telnet server functionwhen there are users logging in by using Telnet, the command does not take effect.

l After the Telnet server function is disabled, established Telnet connections are not interrupted,and no new Telnet connection is allowed. In this situation, users can log in to the system by usingSSH or through the console port.

----End

3.3.4 (Optional) Configuring the Listening Port Number for theTelnet Server

The listening port number of the Telnet server can be configured and changed to ensure networksecurity. After the listening port number is changed, only users who know the current listeningport number can log in to the router.

ContextBy default, the listening port number of the Telnet server is 23. Users can log in to the routerwithout specifying the listening port number. Attackers may access the default listening port,reducing available bandwidth, affecting performance of the server, and causing valid usersunable to access the server. After the listening port number of the Telnet server is changed,attackers do not know the new listening port number. This effectively prevents attackers fromaccessing the listening port.

Procedure



Step 2 Run:telnet [ ipv6 ] server port port-number

The listening port number is set for the Telnet server.

If a new listening port number is set, the Telnet server terminates all established Telnetconnections, and then uses the new port number to listen to new requests for Telnet connections.

Step 3 Run:commit


----End



35

3.3.5 Logging In to the System by Using TelnetAfter the device is configured, you can use Telnet to log in to the device from a terminal toremotely maintain the device.

ContextIf you need to log in to the system by using Telnet, use either the Windows Command Promptor third-party software on the terminal. Use the Windows Command Prompt as an example.

Do as follows on the PC:

ProcedureStep 1 Enter the Windows Command Prompt window.

Step 2 Run the telnet ip-address command to use Telnet to log in to the device.

1. Input the IP address of the Telnet server.

Figure 3-7 Schematic diagram 1 for login by using Telnet

2. Press Enter, and the command prompt of the user view is displayed, such as

<HUAWEI>. This indicates that you have accessed the Telnet server.

Figure 3-8 Schematic diagram 2 for login by using Telnet

----End



36

3.3.6 Checking the ConfigurationAfter logging in to the system by using Telnet, you can view information about the current userinterface, every user interface, and established TCP connections.

PrerequisiteThe configurations of logging in to the system by using Telnet are complete.

Procedurel Run the display users [ all ] command to check information about user interfaces.l Run the display tcp status command to check established TCP connections.l Run the display telnet server status command to check the configuration and status of the

Telnet server.

----End

ExampleRun the display users command to view information about the current user interface.

<HUAWEI]> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 34 VTY 0 00:00:12 TEL 1.1.1.1 noUsername : Unspecified+ 35 VTY 1 00:00:00 TEL 1.1.1.2 noUsername : Unspecified

Run the display tcp status command to view TCP connections. Established in the commandoutput indicates that a TCP connection has been established.

<HUAWEI> display tcp statusTCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0 Closed32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849 LISTEN34042c80 73 /17 10.1.1.1:23 10.2.2.2:1147 0 Established

Run the display telnet server status command to view the configuration and status of the Telnetserver.

<HUAWEI> display telnet server statusSession 1:Source ip address : 10.137.217.221VTY Index : 14Current number of sessions : 1

3.4 Logging In to the System by Using STelnetSTelnet based on SSH2 provides secure remote access over an insecure network.

Applicable EnvironmentA large number of devices on a network need to be managed and maintained. It is impossibleto connect each device to a terminal, especially when there is no reachable route between adevice and the terminal. To manage and maintain remote devices, log in to other devices byusing Telnet from the device that you have logged in to. Login by using Telnet brings security



37

risk because Telnet does not provide any secure authentication mechanism and data istransmitted by using TCP in plain text.

STelnet is a secure Telnet service based on SSH connections. SSH provides encryption andauthentication and protects devices against attacks such as IP address spoofing and plain textpassword interception.


Before logging in to the system by using STelnet, complete the following task:

l Configuring a route between a terminal and a device


Figure 3-9 Logging in to the system by using STelnet

Configure VTY user interfaces

Configure VTY user interfaces to support SSH

Configure an SSH user and specify Stelnet as the service

type

Enable the Stelnet server function

Configure Stelnet server parameters

Use Stelnet to log in to the system from a terminal


3.4.1 Configuring VTY User InterfacesIf you need to use Telnet or SSH to log in to a device to locally or remotely maintain the device,configure VTY user interfaces based on user and security requirements.

Context

The default user authentication mode for VTY user interfaces is password authentication. Beforeusing Telnet or SSH to log in to a device, configure a user authentication mode for VTY userinterfaces. Otherwise, you cannot log in to the device.



38

NOTE

Authentication mode can be configured for VTY user interfaces by logging in to a device through theconsole port.

For configurations about VTY user interfaces, see Configuring VTY User Interfaces.

3.4.2 Configuring VTY User Interfaces to Support SSHSTelnet is based on SSH2. When the client and the server set up a secure connection afternegotiation, the client can log in to the server the same way as using Telnet.

ContextBy default, user interfaces support Telnet. If no user interface is enabled with SSH, users cannotlog in to the device by using STelnet.

Do as follows on the device that functions as an SSH server:

Procedure





Step 3 Run:authentication-mode aaa

AAA authentication is set.

Step 4 Run:protocol inbound ssh

SSH is enabled on the VTY user interface.

NOTE

Before configuring a user interface to support SSH, set the authentication mode of the user interface toAAA. Otherwise, the protocol inbound ssh command does not take effect.

Step 5 Run:commit


----End

3.4.3 Configuring an SSH User and Specifying the Service TypeTo allow users to use STelnet to log in to a device, configure an SSH user, configure the deviceto generate a local RSA key pair, configure a user authentication mode, and specify a servicetype for the SSH user.



39

Contextl SSH users can be authenticated in four modes: RSA, password, password-RSA, and All.

Password authentication depends on AAA. Before a user log in to the device with passwordor password-RSA authentication mode, a local user with the same user name must becreated in the AAA view.

l Configuring the system to generate a local RSA key pair is a key step for SSH login. If anSSH user log in to an SSH server with password authentication mode, configure the serverto generate a local RSA key pair. If an SSH user logs in to an SSH server in RSAauthentication mode, configure both the server and the client to generate local RSA keypairs.

NOTE

Password-RSA authentication requires success of both password authentication and RSA authentication.The All authentication mode requires success of either password authentication or RSA authentication.


Procedure



Step 2 Run:ssh user user-name

An SSH user is created.

If password or password-RSA authentication is configured for the SSH user, create the sameSSH user in the AAA view and set the local user access type to SSH.

1. Run the aaa command to enter the AAA view.2. Run the local-user user-name password { simple | cipher } password command to

configure a local user name and a password.3. Run the local-user user-name service-type ssh command to set the local user access type

to SSH.4. Run the quit command to exit from the AAA view and enter the system view.

By default, a local user can use any access type. You can specify an access type to allow onlyusers configured with the specified access type to log in to the device.

Step 3 Run:rsa local-key-pair create

A local RSA key pair is generated.

NOTE

l The rsa local-key-pair create command must be used to create a local RSA key pair before other SSH-related configuration.

l After the key pair is generated, run the display rsa local-key-pair public command to view informationabout the public key in the local key pair.

Step 4 Run:ssh user user-name authentication-type { password | rsa | password-rsa | all }



40

An authentication mode is set for the SSH user.

Perform either of the following operations as needed:

l Configure password authentication.– Run the ssh user user-name authentication-type password command to configure

password authentication.– Run the ssh authentication-type default password command to configure default

password authentication.If local or HWTACACS authentication is used and there are only a few users, use passwordauthentication. If there are a large number of users, use default password authentication tosimplify configuration.

l Configure RSA authentication.1. Run the ssh user user-name authentication-type rsa command to configure RSA

authentication.2. Run the rsa peer-public-key key-name command to enter the public key view.3. Run the public-key-code begin command to enter the public key edit view.4. Enter hex-data to edit the public key.

NOTE

l In the public key edit view, only hexadecimal strings complying with the public key format canbe typed in. Each string is randomly generated on an SSH client. For detailed operations, seemanuals for SSH client software.

l After entering the public key edit view, paste the RSA public key generated on the client to theserver.

5. Run the public-key-code end command to exit from the public key edit view.l Running the peer-public-key end command generates a key only after a valid hex-

data complying with the public key format is entered.l If the peer-public-key end command is used after the key key-name specified in Step

b is deleted in another window, the system prompts a message, indicating that the keydoes not exist, and the system view is displayed.

6. Run the peer-public-key end command to return to the system view.7. Run the ssh user user-name assign rsa-key key-name command to assign the SSH user a

public key.

Step 5 (Optional) Configure basic authentication information for the SSH user.1. Run the ssh server rekey-interval hours command to set an interval at which the key of

the server is updated.

By default, the interval is 0, indicating that the key is never updated.2. Run the ssh server timeout seconds command to set the timeout period for SSH

authentication.

By default, the timeout period is 60 seconds.3. Run the ssh server authentication-retries times command to set the retry times of SSH

authentication.

By default, SSH authentication retries a maximum of 3 times.

Step 6 Run:ssh user username service-type { stelnet | sftp | all }



41

The service type of an SSH user is set to STelnet, SFTP or all.

By default, the service type of an SSH user is none. That is, no service is supported.

Step 7 Run:commit


----End

3.4.4 Enabling the STelnet Server FunctionThe STelnet server can be connected only when the STelnet server function is enabled.

Procedure



Step 2 Run:stelnet server enable

The STelnet server function is enabled.

After the STelnet server function is disabled, all STelnet clients are disconnected.

Step 3 Run:commit


----End

3.4.5 (Optional) Configuring STelnet Server ParametersYou can configure a device to support the SSH protocol of earlier versions, configure or changethe listening port number of an SSH server, and set an interval at which the key pair of the SSHserver is updated.

Context

l The SSH protocol has the following versions: SSH1.X and SSH2.0. Compared withSSH1.X, SSH2.0 is extended in structure and supports more authentication modes and keyexchange methods. In addition, SSH2.0 supports more advanced services such as SFTP.The NE5000E supports SSH whose version number ranges from 1.3 to 2.0.

l The default listening port number of an SSH server is 22. When the default listening portnumber is used, users can directly log in to a device without specifying the listening portnumber. Attackers may access the default listening port, consuming bandwidth, affectingperformance of the server, and causing valid users unable to access the server. After thelistening port number of the SSH server is changed, attackers do not know the new portnumber. This effectively prevents attackers from accessing the listening port, improvingsecurity.



42

l An interval at which the key pair of an SSH server is updated can be set. When the timerexpires, the key pair is automatically updated to improve security.

Procedure



Step 2 Run:ssh server compatible-ssh1x enable

The system is enabled to support earlier SSH protocol versions.

By default, an SSH server running SSH2.0 is compatible with SSH1.X. To prevent clientsrunning SSH1.3 to SSH1.99 from logging in, run the undo ssh server compatible-ssh1xenable command to disable the system from supporting SSH protocol versions.

Step 3 Run:ssh server port port-number

The listening port number is set for the SSH server is set.

By default, the listening port number is 22.

If a new listening port is set, the SSH server cuts off all established STelnet and SFTPconnections, and then uses the new port number to listen to connection requests.

Step 4 Run:ssh server rekey-interval hours

The interval at which the key pair of the SSH server is updated is set.

By default, the interval is zero, indicating that the key pair will never be updated.

Step 5 Run:commit


----End

3.4.6 Logging In to the System by Using STelnetAfter the preceding configuration is complete, a user can log in to the system from a terminalby using STelnet to remotely maintain the device.

ContextThird-party software can be used to implement an STelnet login. Use the third-party softwareOpenSSH and Windows Command Prompt as an example.

After installing OpenSSH on a PC, do as follows on the PC:

NOTE

For details about how to install OpenSSH, see the software installation guide.

For details about how to use OpenSSH commands to log in to the device, see the software help document.



43

ProcedureStep 1 Enter the Windows Command Prompt window.

Step 2 Run OpenSSH commands to log in to the device by using STelnet, as shown in Figure 3-10.

Figure 3-10 Schematic diagram for login by using STelnet

----End

3.4.7 Checking the ConfigurationAfter you log in to the system by using STelnet, you can view configuration of the SSH server.

PrerequisiteThe configuration of logging in to the system by using STelnet are complete.

Procedurel Run the display ssh user-information username command on the SSH server to check

information about SSH users.l Run the display ssh server status command on the SSH server to check its configuration.l Run the display ssh server session command on the SSH server to check information about

sessions between the SSH server and SSH clients.l Run the display ssh server statistics command on the SSH server to view information

about the total number of connections accepted, denied, closed and total online connections.

----End



44

Example

Run the display ssh user-information username command to view information about aspecified SSH user.

<HUAWEI> display ssh user-information client001------------------------------User Name : client001Authentication-Type : passwordUser-public-key-name : -Sftp-directory : -Service-type : stelnet-----------------------------------Total 1, 1 printed

If no SSH user is specified, information about all SSH users logging in to the SSH server isdisplayed.

Run the display ssh server status command to view configuration of the SSH server.

<HUAWEI> display ssh server status------------------------------------------SSH Version : 1.99SSH authentication timeout : 60 SecondsSSH authentication retries : 3 TimesSSH server key generating interval : 0 HoursSSH version 1.x compatibility : ENABLEDSSH server keep alive : DISABLEDSFTP server : DISABLEDSTELNET server : DISABLEDSNETCONF server : DISABLEDSSH server port : 22------------------------------------------------

Run the display ssh server session command to view information about sessions between theSSH server and SSH clients.

<HUAWEI> display ssh server sessionSession : 1Conn : VTY 3Version : 2.0State : startedUsername : client001Retry : 1CTOS Cipher : aes128-cbcSTOC Cipher : aes128-cbcCTOS Hmac : hmac-md5STOC Hmac : hmac-md5Kex : diffie-hellman-group-exchange-sha1Service Type : stelnetAuthentication Type : password

Run the display ssh server statistics command to view the current statistics information of theSSH server.

<HUAWEI> display ssh server statistics----------------------------------Total connection accepted : 1Total connection denied by ACL : 2Total connection denied by CLI : 0Total connection denied by AAA : 3Total connection denied by Netconf : 1Total connection closed by CLI : 1Total connection closed by Netconf : 4Total connection closed by sock : 3Total online connection : 5----------------------------------------



45

3.5 Configuration ExamplesThis section provides configuration examples for logging in to the system through the consoleport or by using Telnet or STelnet. These configuration examples explain networkingrequirements, configuration roadmap, and precautions.

3.5.1 Example for Logging In to the System Through the ConsolePort

In this example, a PC is set to allow a user to log in to the router through the console port.


If the default parameter values for the console user interface on the router are changed, theparameters must be set accordingly on the user terminal before the next login through the consoleport.

Figure 3-11 Networking diagram for login through the console port

RouterPC

Configuration Roadmap1. Connect a PC to the console port on the router.

2. Set parameters on the PC for login.

3. Log in to the router.

Data Preparation

Communication parameters of the PC (transmission rate: 4800 bps, data bits: 6, parity bit: even,stop bits: 2, flow control mode: none).

Procedure

Step 1 Establish the configuration environment. Connect the serial interface on the user terminal to theconsole port on the router through a standard RS-232 cable.

Step 2 Run the terminal emulator on the PC.

Set communication parameters for the PC, as shown in Figure 3-12 to Figure 3-14. Set thetransmission rate to 4800 bit/s, data bit to 6, parity bit to even, stop bit to 2, and flow controlmode to none.



46

Figure 3-12 Establishing a connection

Figure 3-13 Setting connected ports



47

Figure 3-14 Setting communication parameters

Step 3 Power on the router and wait for the completion of the self-check. After the router starts properlyand finishes the self-check, the system prompts you to press Enter, and the command prompt<HUAWEI> is displayed.

Use commands to view the operating status of the router or configure the router.

----End

3.5.2 Example for Logging In to the System by Using TelnetIn this example, VTY user interfaces are configured to allow users to log in to the device fromthe client.

Networking RequirementsA user can use a user terminal to log in to the router on another network segment to remotelymaintain the router.

Figure 3-15 Networking diagram for logging in to the system by using Telnet

NetWork

PC P1

GE0/0/010.137.217.221/16



48

PrecautionsIf a user has passed AAA authentication and logged in to the router by using Telnet, the user isprohibited from logging in to other routers on the network.

Configuration Roadmap1. Establish a physical connection.2. Assign an IP address to the MEth interface on P1.3. Configure VTY user interfaces, including the limit on incoming and outgoing calls.4. Configure Telnet user information.


l IP address of the MEth interface on P1l Maximum number of VTY user interfaces: 10l Number of the ACL that is used to prohibit users from logging into another router: 3001l Timeout period of a user connection: 20 minutesl Number of lines displayed on a terminal screen: 30l Buffer size for previously-used commands: 20l Telnet user information (authentication mode: AAA, user name: huawei, password: hello)

Procedure

Step 1 Connect the PC and the router to the network.

Step 2 Assign an IP address to the MEth interface on P1.<HUAWEI> system-view<HUAWEI> sysname P1<HUAWEI> commit[~P1] interface gigabitethernet 0/0/0[~P1-GigabitEthernet0/0/0] undo shutdown[~P1-GigabitEthernet0/0/0] ip address 10.137.217.221 255.255.0.0[~P1-GigabitEthernet0/0/0] commit[~P1-GigabitEthernet0/0/0] quit

Step 3 Configure VTY user interfaces on the router.

# Set the maximum number of VTY user interfaces.

[~P1] user-interface maximum-vty 10[~P1] commit

# Configure an ACL to restrict users from logging in to another router.

[~P1]acl 3001[~P1-acl-adv-3001]rule deny tcp source any destination-port eq telnet[~P1-acl-adv-3001]quit[~P1] user-interface vty 0 9[~P1-ui-vty0-9] acl 3001 outbound

# Set terminal attributes of VTY user interfaces.



49

[~P1-ui-vty0-9] shell[~P1-ui-vty0-9] idle-timeout 20[~P1-ui-vty0-9] screen-length 30[~P1-ui-vty0-9] history-command max-size 20

# Set a user authentication mode for VTY user interfaces.

[~P1-ui-vty0-9] authentication-mode aaa[~P1-ui-vty0-9] commit[~P1-ui-vty0-9] quit

Step 4 Set Telnet user information on the router.

# Specify the login authentication mode.

[~P1] aaa[~P1-aaa] local-user huawei password cipher hello[~P1-aaa] local-user huawei service-type telnet[~P1-aaa] local-user huawei level 3[~P1-aaa] commit[~P1-aaa] quit

Step 5 # Configure user login.

Enter the Windows Command Prompt window and run the relevant command to telnet to thedevice, as shown in Figure 3-16.

Figure 3-16 Telnet login window on the PC

Press Enter, and input the user name and password in the login window. After userauthentication succeeds, a command prompt of the user view is displayed, as shown in Figure3-17. This indicates that you have entered the user view.

Figure 3-17 Window displayed after login to the router



50

----End

Configuration file of P1sysname P1#user-interface maximum-vty 10#acl number 3001 rule 5 deny tcp destination-port eq telnet#aaa local-user huawei password cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! local-user huawei level 3 local-user huawei service-type telnet # authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default#interface GigabitEthernet0/0/0 undo shutdown ip address 10.137.217.221 255.255.0.0#user-interface vty 0 9 authentication-mode aaa user privilege level 15 set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!! history-command max-size 20 idle-timeout 20 0 screen-length 30 acl 2000 inbound acl 3001 outbound#adminreturn

3.5.3 Example for Logging In to the System by Using STelnetIn this example, a local key pair is generated on an SSH server, and a user name and a passwordare configured on the server for an SSH user. After the STelnet server function is enabled onthe server, the STelnet client is connected to the server.


A large number of devices on a network need to be managed and maintained. It is impossibleto connect each device to a terminal, especially when there is no reachable route between adevice and the terminal. To manage and maintain remote devices, log in to other devices byusing Telnet from the device that you have logged in to. Login by using Telnet brings securityrisk because Telnet does not provide any secure authentication mechanism and data istransmitted by using TCP in plain text.

STelnet is a secure Telnet service based on SSH connections. SSH provides encryption andauthentication and protects devices against attacks such as IP address spoofing and plain textpassword interception.



51

As shown in Figure 3-18, after the STelnet server function is enabled on the router functioningas an SSH server, STelnet clients can log in to the SSH server in password, RSA, password-RSA, or All authentication mode.

Figure 3-18 Networking diagram for logging in to the system by using STelnet

PC SSH Server

GE0/0/010.137.217.225/16

Network


1. Assign an IP address to the MEth interface on the SSH server.2. Configure a local key pair on the SSH server, allowing secure data transmission between

the STelnet client and the SSH server.3. Configure VTY user interfaces on the SSH server.4. Configure an SSH user, including the authentication mode, user name, and password.5. Enable the STelnet server function on the SSH server and configure a user service type.


l IP address of the MEth interface on the SSH serverl SSH user authentication mode: password; user name: client001; password: huaweil User level of client001: 3l IP address of the SSH server: 10.137.217.223

Procedure

Step 1 Configure a login address.<HUAWEI> system-view[~HUAWEI] sysname SSH Server[~HUAWEI] commit[~SSH Server] interface gigabitethernet 0/0/0[~SSH Server-GigabitEthernet0/0/0] undo shutdown[~SSH Server-GigabitEthernet0/0/0] ip address 10.137.217.225 255.255.0.0[~SSH Server-GigabitEthernet0/0/0] commit[~SSH Server-GigabitEthernet0/0/0] quit

Step 2 Configure a local key pair on the server.[~SSH Server] rsa local-key-pair createThe key name will be: SSH Server_HostThe range of public key size is (512 ~ 2048).NOTE: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus [default = 512] :



52

Step 3 Configure VTY user interfaces on the SSH server.[~SSH Server] user-interface vty 0 4[~SSH Server-ui-vty0-4] authentication-mode aaa[~SSH Server-ui-vty0-4] protocol inbound ssh[~SSH Server-ui-vty0-4] commit[~SSH Server-ui-vty0-4] quit

NOTE

If SSH is configured as the login protocol, the NE5000E automatically disables the Telnet function.

Step 4 Configure the SSH user name and password on the SSH server.[~SSH Server] aaa[~SSH Server-aaa] local-user client001 password cipher huawei[~SSH Server-aaa] local-user client001 level 3[~SSH Server-aaa] local-user client001 service-type ssh[~SSH Server-aaa] commit[~SSH Server-aaa] quit

Step 5 Enable the STelnet server function, and configure STelnet as the service type.[~SSH Server] stelnet server enable[~SSH Server] ssh authentication-type default password[~SSH Server] commit


# Access the STelnet server by using the OpenSSH software.

Figure 3-19 Schematic diagram for accessing the SFTP server by using the OpenSSH software

----End

Configuration Filesl Configuration file of the SSH server

#sysname SSH Server



53

#rsa local-key-pair create 512rsa local-key-pair host-key beginAC010000ABABABAB00486F737400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DB07020B0D0008370200849A356ACBBAC7DBCAB38BA7E9B9B44BDA92208B805287743DD3786B98E23889858D07DC8E2B8B371D8C0FC889D7ACD4AA43456973B3EB990E4C93965180EAD43A5F0D8DBAEF607B2642C968EC4E3DF61D5FE326DDAECC9AAE4FF7D1C9A4810045EBB574B618BFFC038555F3F9D9896B2B58ED0B92C551C7223B20646DBF6F5369B2BDF0D4B61208D8B52156A095D11EFCD901C85D4A21332249A63107F7AD3D13885CCC79D5480B4114E0EE984BEE8E9DA4F11945201D0F9DED9A36CCCFC40FDB07D6F746F0060F95B4C802ACE64E72EBF656AC34335526E4182ABA809C0402A110D932FA65167199A4F504AF0503DEC1F10A5807A2C9643C09FD1B127199D3AC6E609F9EA78EF6341CDDC9B45D84AC83C1C383558841346B893D2F6322E1562DE58F947D6F769E525A05376B70F8C39599F4228A468916C617B61AF1864D4E574C17FC23EA6818A0F68E00D124AD2488E89C2379777BD4rsa local-key-pair host-key end#stelnet server enablessh authentication-type default password#interface GigabitEthernet0/0/0 undo shutdown ip address 10.137.217.225 255.255.255.0#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#aaa local-user client001 password cipher N`C55QK<`=/Q=^Q`MAF4<1!! local-user client001 level 3 local-user client001 service-type ssh #adminreturn



54

4 Transferring Files

About This Chapter

File transfer protocols help file transmission between PCs.

4.1 File Transfer OverviewThe File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), and Secure FileTransfer Protocol (SFTP) can be used to operate and manage files.

4.2 File Transfer Modes Supported by the HUAWEI NetEngine5000EThis section describes file transfer modes supported by the HUAWEI NetEngine5000E basedon usage scenarios. Familiarizing yourself with the usage scenarios helps you rapidly andaccurately complete the configurations.

4.3 Operating Files After Logging In to the SystemUsers can operate files after logging in to the system, including managing storage devices,directories, and files.

4.4 Using FTP to Operate FilesFTP is used to transfer files between local clients and remote servers.

4.5 Using SFTP to Operate FilesSFTP enables users to log in to a remote device securely from PCs to manage files. This improvesthe security of data transmission for remote upgrade.

4.6 Configuration ExamplesThis section provides configuration examples for operating files after logging in to the systemor by using FTP or SFTP. These configuration examples explain networking requirements,configuration roadmap, and precautions.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - Basic Configurations 4 Transferring Files


55

4.1 File Transfer OverviewThe File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), and Secure FileTransfer Protocol (SFTP) can be used to operate and manage files.

FTP

FTP is a standard application protocol based on the TCP/IP protocol suite. It is used to transferfiles between local clients and remote servers. FTP uses two TCP connections to copy a filefrom one system to another. The TCP connections are usually established in client-server mode,one for control (the server port number is 21) and the other for data transmission (the sever portnumber is 20).

l Control connection: issues commands from the client to the server and transmits repliesfrom the server to the client, minimizing the transmission delay.

l Data connection: transmits data between the client and server, maximizing the throughput.

FTP has two file transfer modes:

l Binary mode: is used to transfer program files, such as .app, .bin, and .btm files.

l ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.

The device provides the following FTP functions:

l FTP client: Users can use the terminal emulator or the Telnet program to connect PCs tothe device, and run the ftp command to establish a connection between the device and aremote FTP server to access and operate files on the server.

l FTP server: Users can use the FTP client program to log in to the device and operate fileson the device.Before users log in, the network administrator must configure an IP address for the FTPserver.

TFTP

TFTP is an application protocol based on User Datagram Protocol (UDP) connections. It usesthe UDP port number 69 to transfer files between local hosts and remote servers. Unlike FTP,TFTP is simple, providing no authentication. It is applicable to scenarios where complicatedinteractions between clients and the server are not required.

TFTP supports both binary and ASCII file transfer modes, which are also supported by FTP.

NOTE

l Currently, the HUAWEI NetEngine5000E supports only the binary mode for TFTP.

l Currently, the HUAWEI NetEngine5000E can function only as a TFTP client but not a TFTP server.

TFTP transfer requests are initiated by clients:

l When a TFTP client needs to download files from the server, the client sends a read requestto the TFTP server. The server sends data packets to the client, and the client acknowledgesthe data packets.

l When a TFTP client needs to upload a file to the server, the client sends a write requestand then data to the server, and receives acknowledgments from the server.



56

SFTPSFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securelylog in to the device to manage and transfer files. On the other hand, users can use the devicefunctioning as a client to log in to a remote server and transfer files securely.

When the SFTP server or the connection between the server and the client fails, the client needsto detect the fault in time and removes the connection proactively. To help the client detect sucha fault in time, configure an interval at which Keepalive packets are sent if no packet is receivedand the maximum number of times that the server does not respond for the client:l If the client does not receive any packet within the specified period, the client sends a

Keepalive packet to the server.l If the maximum number of times that the server does not respond exceeds the specified

value, the client proactively releases the connection.

4.2 File Transfer Modes Supported by the HUAWEINetEngine5000E

This section describes file transfer modes supported by the HUAWEI NetEngine5000E basedon usage scenarios. Familiarizing yourself with the usage scenarios helps you rapidly andaccurately complete the configurations.

Table 4-1 lists file transfer modes supported by the HUAWEI NetEngine5000E.

NOTE

The file to be uploaded must be less than 2 GB. Uploading a file larger than 2 GB causes the device unableto display information.

Table 4-1 Usage scenarios for file transfer modes

FileTransferMode

Advantage Disadvantage Usage Scenario

FTP l Is based on TCPconnections, havingall TCPcharacteristics.

l Supportsauthentication andauthorization.

l Supports file transferbetween differentfile system hosts.

l FTP commands arecomplicated andvarious.

l FTP requires morememory resourcesthan TFTP.

l Data and even usernames and passwordsare transmitted inplain text, bringingsecurity risks.

FTP can be used onnetworks that havedelays, packet loss, andjitters.FTP is used for versionupgrade and filetransfer.



57

FileTransferMode

Advantage Disadvantage Usage Scenario

TFTP l Is based on UDPconnections.

l TFTP requires fewermemory resourcesthan FTP.

l TFTP supports onlyfile transfer but notinteraction.

l TFTP does not allowusers to listdirectories ornegotiate with theserver to determinefiles that can beobtained.

l TFTP does notprovideauthentication andauthorization. Ittransmits data inplain text. This addssecurity risks andrenders the devicevulnerable to attacksand network viruses.

TFTP can be used toload and upgradesoftware on a local areanetwork (LAN) in alaboratory where thenetwork is in goodconditions.TFTP is applicable tonetworks wherecomplicatedinteractions betweenclients and the server arenot required.For details, see 5.4Using TFTP to AccessOther Devices.

SFTP Data are encrypted andthe integrity isguaranteed. SFTPboasts of high security.

l Data transmissionefficiency is low.

l Terminals must beinstalled with third-party software tosupport SFTP.

SFTP is applicable tonetworks that have highsecurity requirements.

4.3 Operating Files After Logging In to the SystemUsers can operate files after logging in to the system, including managing storage devices,directories, and files.


When a device fails to save or obtain data, you can log in to the system to repair the faulty storagedevice or manage files or directories on the device.

This file operation mode is used when storage devices need to be managed.


After logging in to the system, complete the following tasks before operating the files:

l 3 Configuring User Login



58


Figure 4-1 Operating files after logging in to the system

Manage files

Manage directories


4.3.1 Managing DirectoriesYou can manage directories to logically save files in hierarchies.

ContextYou can change and display directories, display files in directories and sub-directory lists, andcreate and delete directories.

Perform one or multiple of the following operations as required:

Procedurel Run:

cd directory

The current directory of the device is changed.l Run:

pwd

The current directory of the device is displayed.l Run:

dir [ /all ] [ filename ]

Files in the directory and the list of sub-directories are displayed.l Run:

mkdir directory

A directory is created.l Run:

rmdir directory

A directory is deleted.

----End

4.3.2 Managing FilesFiles on a device can be deleted or renamed by logging in to the file system.

Files can be viewed, copied, moved, deleted, or renamed.



59

Perform one or multiple operations shown in Table 4-2 as needed.

Table 4-2 File management

FileManagement

Operation

Displaying a file Run the more file-name command.file-name is in the [ drive ][ path ][ file-name ] format, ranging from 1 to128 characters. An absolute path name ranges from 1 to 128 characters,supporting a maximum of 8-level directories. If the file needs to be copiedto another chassis, slot, or CF card, the file path must contain the chassisID, slot number, or CF card information.

Copying a file Run the copy source-filename destination-filename command.source-filename destination-filename is in the [ drive ][ path ][ file-name ]format, ranging from 1 to 128 characters. An absolute path name rangesfrom 1 to 128 characters, supporting a maximum of 8-level directories.If the file needs to be copied to another chassis, slot, or CF card, the filepath must contain the chassis ID, slot number, or CF card information.

Moving a file Run the move source-filename destination-filename command.source-filename destination-filename is in the [ drive ][ path ][ file-name ]format, and can be a wildcard (*). The file name ranges from 1 to 128characters. An absolute path name ranges from 1 to 128 characters,supporting a maximum of 8-level directories. If the file needs to be copiedto another chassis, slot, or CF card, the file path must contain the chassisID, slot number, or CF card information.When destination-filename is a directory name, the source file is movedto this directory, the file name remaining unchanged.

Deleting a file Run the delete [ /unreserved ] filename command./unreserved deletes a specified file thoroughly. The deleted file cannotbe restored.

Restoring adeleted file

Run the undelete filename command.l If a file is deleted mistakenly, run the undelete command to restore

the file. If a file is deleted by using the delete /unreserved command,the file cannot be restored.

l If the current directory is not a root directory, use the absolute pathwhen operating files.

Removing a filefrom the recyclebin

Run the reset recycle-bin [ /f | filename ] command./f deletes all files from the recycle bin without confirming with the userabout whether to delete files one by one.NOTE

This command deletes files from the recycle bin thoroughly, and the deleted filecannot be restored. Exercise cautions when using this command.

Renaming a file Run the rename source-filename destination-filename command.



60

4.4 Using FTP to Operate FilesFTP is used to transfer files between local clients and remote servers.


As devices operate stably and are deployed in large scopes, more and more devices need to bemaintained and upgraded remotely. Online software upgrade, as a new upgrade method byloading software packages remotely, facilitates remote online upgrade, reduces upgradeexpenditure, shortens the time that customers wait for upgrade, and improves customers'satisfaction. In real world situations, the delay, packet loss, and jitter affect data transmissionon networks. To guarantee the quality of online upgrade and data transmission, use FTP toperform online upgrade and transfer files based on TCP connections.


Before operating files by using FTP, complete the following task:



Figure 4-2 File operation by using FTP

Configure local FTP users

Configure the listening port number of the FTP server

Configure FTP server parameters

Enable the FTP server function

Configure FTP access control

Use the FTP software to access the system

Use FTP commands to operate files




61

4.4.1 Configuring a Local FTP UserAuthentication information, authorization mode, and authorization directory can be configuredfor an FTP user to prevent unauthorized users from accessing the specified directory.

ContextTo operate files by using FTP, configure local user name and password on a device serving asan FTP server, and specify the service type and the directory that the user can access. Otherwise,the user cannot access the FTP server.

Perform the following steps on the device that functions as an FTP server:

Procedure



Step 2 Run:aaa

The AAA view is displayed.

Step 3 Run:local-user user-name password simple password


l If the password is in the form of simple, the password must be in the plain text.l If the password is in the form of cipher, the password can be either in the encrypted text or

in the plain text. The result is determined by the input.

Step 4 Run:local-user user-name service-type ftp

FTP is configured as a service type for the FTP user.

Step 5 Run:local-user user-name ftp-directory directory

The authorization directory is configured for the FTP user.

CAUTIONIf the directory is not configured, the user is automatically redirected to cfcard:/.

Step 6 Run:commit


----End



62

4.4.2 (Optional) Changing the Listening Port Number of the FTPServer

After the listening port number of the FTP server is changed, only users that know the new portnumber can access the server, ensuring security.

Context

By default, the listening port number of the FTP server is 21. Users can directly log in to a devicefunctioning as an FTP server by using the default listening port number. Attackers may accessthe default listening port, consuming bandwidth, affecting performance of the server, andcausing valid users unable to access the server. After the listening port number of the FTP serveris changed, attackers do not know the new listening port number. This effectively preventsattackers from accessing the listening port.

NOTE

If the FTP server is already enabled while changing the port number, then FTP server gets restarted.

Do as follows on the device that functions as an FTP server:

Procedure



Step 2 Run:ftp [ ipv6 ] server port port-number

The listening port number of the FTP server is changed.

If a new listening port number is set, the FTP server terminates all established FTP connections,and then uses the new port number to listen to new FTP connection attempts.

Step 3 Run:commit


----End

4.4.3 Enabling the FTP Server FunctionBefore using FTP to operate files, enable the FTP sever function on the device.

Context

By default, the FTP server function is disabled. Therefore, you must enable the FTP serverfunction before using FTP.




63

Procedure



Step 2 Run:ftp [ ipv6 ] server enable

The FTP server function is enabled.

NOTE

After files are successfully transferred between the client and the server, run the undo ftp [ ipv6 ] servercommand to disable the FTP server function in time for security.

Step 3 Run:commit


----End

4.4.4 (Optional) Configuring FTP Server ParametersConfiguring proper parameters for the FTP server guarantees device security and maximizes theresource usage.

ContextThe FTP server parameters include the source address of the FTP server and the timeout periodof an idle FTP connection.

l Specifying the source address of the FTP server restricts the destination address accessedby clients, ensuring security.

l After the timeout period of an idle FTP connection is configured, if a client and the serverdo not exchange messages within the specified timeout period, the server terminates theconnection and releases the FTP connection resource.

Perform the following steps on the device that functions as an FTP server:

Procedure



Step 2 Configure the following FTP server parameters as required:l Run the ftp server-source { -a source-ip-address | -i interface-type interface-number }

command to configure the source address of the FTP server.By default, the source IP address of an FTP server is 0.0.0.0. The source address must be aloopback address, and the source interface must be a loopback interface.After the source address is configured, the address specified in the ftp command for login tothe FTP server must be the configured source address. Otherwise, the login fails.



64

l Run the ftp timeout minutes command to set the timeout period of an idle FTP connection.By default, the timeout period of an idle FTP connection is 30 minutes.

Step 3 Run:commit


----End

4.4.5 (Optional) Configuring FTP Access ControlAn ACL can be configured to allow only specified clients to access an FTP server.

ContextWhen a device functions as an FTP server, you can configure an ACL to allow only the clientsthat meet the rules specified in the ACL to access the FTP server.


ProcedureStep 1 Run:

system-view


Step 2 Run:acl acl-number

The ACL view is displayed.

Step 3 Run:rule [ rule-id ] { deny | permit } [ fragment | fragment-type fragment-type-name | logging | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ] *

A rule is configured.

NOTE

FTP supports only basic ACLs whose numbers range from 2000 to 2999.

Step 4 Run:ftp acl { acl-number | acl-name acl-name }

A basic ACL is configured to filter FTP users.

Step 5 Run:commit


----End

4.4.6 Using FTP to Access the SystemAfter an FTP server is configured, you can access the server from a PC by using FTP to managethe files on the server.



65

ContextTo log in to the FTP server from the PC, use either the Windows Command Prompt or third-party software. Use the Windows Command Prompt as an example.

Do as follows on the PC:

Procedure

Step 1 Enter the Windows Command Prompt window.

Step 2 Run the ftp ip-address command to log in to the server by using FTP.

Enter the user name and password at the prompt, and press Enter. When the command promptof the FTP client view is displayed, such as ftp>, you have entered the working path of the FTPserver, as shown in Figure 4-3.

Figure 4-3 Schematic diagram for the working path of the FTP server

----End

4.4.7 Using FTP to Operate FilesAfter logging in to a device that functions as an FTP server by using FTP, you can upload filesto or download files from the device, and manage the directories of the device.

ContextTable 4-3 lists FTP file attributes.

Table 4-3 File attributes

File Attribute Description

FTP file type l ASCII typeA file is transmitted in ASCII characters. In this type, the Enterkey cannot be used to separate lines.

l Binary type



66

File Attribute Description

FTP data connectionmode

The following data connection mode can be set for the FTP server:l ACTIVE mode: The server proactively connects clients during

connection establishment.l PASV mode: The server waits to be connected by clients during

connection establishment.During connection establishment, the FTP client determines the modeto be either ACTIVE or PASV.

Procedure

Step 1 Perform either of the following steps on the client, based on the type of IP address of the server:l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip

[ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address toestablish a connection to the FTP server and enter the FTP client view.

l Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-address [ portnumber ]command to use an IPv6 address to establish a connection to the FTP server and enter theFTP client view.

Step 2 Perform one or more operations shown in Table 4-4 as needed.

Table 4-4 File operations

File Operation Description

Managing files

Configuring thefile type

l Run the ascii command to set the file type to ASCII.l Run the binary command to set the file type to binary.The FTP file type is determined by the client. By default,the ASCII type is used.

Configuring thedata connectionmode

l Run the passive command to set the data connectionmode to PASV.

l Run the undo passive command to set the dataconnection mode to ACTIVE.

By default, the PASV mode is used.

Uploading files l Run the put local-filename [ remote-filename ]command to upload a file from the local device to aremote server.

l Run the mput local-filenames command to upload filesfrom the local device to a remote server.



67


Downloadingfiles

l Run the get remote-filename [ local-filename ] commandto download a file from a remote server and save the fileon the local device.

l Run the mget remote-filenames command to downloadfiles from a remote server and save the files on the localdevice.

Enabling the filetransfer promptfunction

l If the prompt command is run in the FTP client view toenable the file transfer prompt function, the systemprompts you to confirm the uploading or downloadingoperation during file uploading or downloading.

l If the prompt command is run again in the FTP clientview, the file transfer prompt function is disabled.

NOTEThe prompt command is applicable to the scenario where themput or mget command is used to upload or download files. If thelocal device has the files to be downloaded by running the mgetcommand, the system prompts you to override the existing onesregardless of whether the file transfer prompt function is enabled.

Enabling the FTPverbose function

Run the verbose command.After the verbose function is enabled, all FTP responseinformation is displayed. After file transfer is complete,statistics about the transmission rate are displayed.

Managingdirectories

Changing theworking path of aremote FTP server

Run the cd pathname command.

Changing theworking path of anFTP server to theparent directory

Run the cdup command.

Displaying theworking path of anFTP server

Run the pwd command.

Displaying files ina directory and thelist of sub-directories

Run the dir [ remote-directory [ local-filename ] ] command.If no path name is specified for a specified remote file, thesystem will search the file in the authorized directory of theuser.

Displaying aspecified remotedirectory or file onan FTP server

Run the ls [ remote-directory [ local-filename ] ] command.

Displaying orchanging theworking path of anFTP client

Run the lcd [ directory ] command.The lcd command displays the local working path of the FTPclient, while the pwd command displays the working pathof the remote FTP server.



68


Creating adirectory on anFTP server

Run the mkdir remote-directory command.The directory can be a combination of letters and numbers,excluding special characters such as "<", ">", "?", "\", or ":".

Deleting adirectory from anFTP server

Run the rmdir remote-directory command.

Displaying online help for anFTP command

Run the remotehelp [ command ] command.

Changing an FTP user Run the user username [ password ] command.

Step 3 Perform either of the following operations as needed to terminate an FTP connection.l Run the bye/quit command to terminate the connection to the FTP server and return to the

user view.l Run the close/disconnect command to terminate both the connection to the FTP server and

the FTP session but remain in the FTP client view.

Step 4 Run:commit


----End

4.4.8 Checking the ConfigurationAfter completing the configurations of file operation by using FTP, you can view theconfiguration and status of the FTP server as well as information about logged-in FTP users.

PrerequisiteThe configurations of file operation by using FTP are complete.

Procedurel Run the display ftp-server command to check the configuration and status of the FTP

server.l Run the display ftp-users command to check information about logged-in FTP users.

----End

ExampleRun the display ftp-server command to view the configuration and status of the FTP server.

<HUAWEI> display ftp-server--------------------------------------------------------------------------Server State : enabledIPv6 server State : enabledTimeout value (mins) : 30Listen port : 21



69

IPv6 listen port : 21ACL 4 name : ACL 4 number : 0Current user count : 0Max user number : 15Source IPv4 address : 0.0.0.0Source interface : --------------------------------------------------------------------------

Run the display ftp-users command to view information about logged-in FTP users, includingthe user name, port number, and authorized directory.

<HUAWEI> display ftp-users-----------------------------------------------------------User Name : rootHost Address : 2607:F0D0:1002:11::126Control Port : 20465Idle Time (mins) : 1Root Directory :cfcard:/User Name : rootHost Address : 10.18.26.139Control Port : 28783Idle Time (mins) : 0Root Directory :cfcard:/-----------------------------------------------------------

4.5 Using SFTP to Operate FilesSFTP enables users to log in to a remote device securely from PCs to manage files. This improvesthe security of data transmission for remote upgrade.

Applicable EnvironmentAs devices operate stably and are deployed in large scopes, more and more devices need to bemaintained and upgraded remotely. Online software upgrade, as a new upgrade method byloading software packages remotely, facilitates remote online upgrade, reduces upgradeexpenditure, shortens the time that customers wait for upgrade, and improves customers'satisfaction. FTP is usually used to transmit data for online upgrade. FTP transmits data andeven user names and passwords in plain text, bringing security risks.

SFTP enables users to log in to a remote device securely from PCs to manage files. This improvesthe security of data transmission for remote upgrade. In addition, the device can function as anSFTP client. This allows users that have logged in to the device to access other remote devicesto transfer files and perform online upgrade by using SFTP.

Pre-configuration TasksBefore operating files by using SFTP, complete the following task:l Configuring User Login



70


Figure 4-4 Operating files by using SFTP

Configure an SSH user and specify SFTP as the service type

Enable the SFTP server function

Configure SFTP server parameters

Use SFTP to access the system

Use SFTP commands to operate files


4.5.1 Configuring an SSH User and Specifying the Service TypeTo allow users to log in to the device by using SFTP, configure an SSH user, configure the deviceto generate a local RSA key pair, configure a user authentication mode, and specify a servicetype for the SSH user.

Context

l SSH users can be authenticated in four modes: RSA, password, password-RSA, and All.Password authentication depends on AAA. Before a user log in to the device with passwordor password-RSA authentication mode, a local user with the same user name must becreated in the AAA view.

l Configuring the system to generate a local RSA key pair is a key step for SSH login. If anSSH user log in to an SSH server with password authentication mode, configure the serverto generate a local RSA key pair. If an SSH user logs in to an SSH server in RSAauthentication mode, configure both the server and the client to generate local RSA keypairs.

NOTE

Password-RSA authentication requires success of both password authentication and RSA authentication.The All authentication mode requires success of either password authentication or RSA authentication.




71

Procedure



Step 2 Run:ssh user user-name

An SSH user is created.

If password or password-RSA authentication is configured for the SSH user, create the sameSSH user in the AAA view and set the local user access type to SSH.

1. Run the aaa command to enter the AAA view.2. Run the local-user user-name password { simple | cipher } password command to

configure a local user name and a password.3. Run the local-user user-name service-type ssh command to set the local user access type

to SSH.4. Run the quit command to exit from the AAA view and enter the system view.

By default, a local user can use any access type. You can specify an access type to allow onlyusers configured with the specified access type to log in to the device.

Step 3 Run:rsa local-key-pair create

A local RSA key pair is generated.

NOTE

l The rsa local-key-pair create command must be used to create a local RSA key pair before other SSH-related configuration.

l After the key pair is generated, run the display rsa local-key-pair public command to view informationabout the public key in the local key pair.

Step 4 Run:ssh user user-name authentication-type { password | rsa | password-rsa | all }

An authentication mode is set for the SSH user.

Perform either of the following operations as needed:

l Configure password authentication.– Run the ssh user user-name authentication-type password command to configure

password authentication.– Run the ssh authentication-type default password command to configure default

password authentication.If local or HWTACACS authentication is used and there are only a few users, use passwordauthentication. If there are a large number of users, use default password authentication tosimplify configuration.

l Configure RSA authentication.1. Run the ssh user user-name authentication-type rsa command to configure RSA

authentication.



72

2. Run the rsa peer-public-key key-name command to enter the public key view.

3. Run the public-key-code begin command to enter the public key edit view.

4. Enter hex-data to edit the public key.

NOTE

l In the public key edit view, only hexadecimal strings complying with the public key format canbe typed in. Each string is randomly generated on an SSH client. For detailed operations, seemanuals for SSH client software.

l After entering the public key edit view, paste the RSA public key generated on the client to theserver.

5. Run the public-key-code end command to exit from the public key edit view.

l Running the peer-public-key end command generates a key only after a valid hex-data complying with the public key format is entered.

l If the peer-public-key end command is used after the key key-name specified in Stepb is deleted in another window, the system prompts a message, indicating that the keydoes not exist, and the system view is displayed.

6. Run the peer-public-key end command to return to the system view.

7. Run the ssh user user-name assign rsa-key key-name command to assign the SSH user apublic key.

Step 5 (Optional) Configure basic authentication information for the SSH user.

1. Run the ssh server rekey-interval hours command to set an interval at which the key ofthe server is updated.

By default, the interval is 0, indicating that the key is never updated.

2. Run the ssh server timeout seconds command to set the timeout period for SSHauthentication.

By default, the timeout period is 60 seconds.

3. Run the ssh server authentication-retries times command to set the retry times of SSHauthentication.

By default, SSH authentication retries a maximum of 3 times.

Step 6 Run:ssh user username service-type { sftp | all }

The service type of an SSH user is set to SFTP or all.

By default, the service type of an SSH user is none. That is, no service is supported.

Step 7 Run:commit


----End

4.5.2 Enabling the SFTP Server FunctionBefore using SFTP to access a device, enable the SFTP server function on the device.



73

ContextBy default, the device is not enabled with the SFTP server function. Users can use SFTP toestablish connections to the device only after the SFTP server function is enabled on the device.


Procedure



Step 2 Run:sftp server enable

The SFTP server function is enabled.

By default, the SFTP server function is disabled.

Step 3 Run:commit


----End

4.5.3 (Optional) Configuring SFTP Server ParametersYou can configure a device to support the SSH protocol of earlier versions, configure or changethe listening port number of an SFTP server, and set an interval at which the key pair of theSFTP server is updated.

ContextTable 4-5 lists SFTP server parameters.

Table 4-5 Description of SFTP server parameters

SFTP ServerParameter

Description

Earlier SSHversioncompatibility

SSH has two versions: SSH1.X (earlier than SSH2.0) and SSH2.0.Compared with SSH1.X, SSH2.0 is extended in structure and supportsmore authentication modes and key exchange methods. In addition,SSH2.0 supports more advanced services such as SFTP. The HUAWEINetEngine5000E supports SSH with version number ranging from 1.3 to2.0.



74


Description

Listening portnumber of anSFTP server

The default listening port number of an SFTP server is 22. Users can login to the device by using the default listening port number. Attackers mayaccess the default listening port, consuming bandwidth, affectingperformance of the server, and causing valid users unable to access theserver. After the listening port number of the SFTP server is changed,attackers do not know the new port number. This effectively preventsattackers from accessing the listening port and improves security.

Interval atwhich the keypair of the SFTPserver isupdated

After the interval is set, the key pair of the SFTP server is updatedperiodically to improve security.

Timeout periodof an idleconnection

If a connection is idle within the timeout period, the system automaticallycuts off the connection when the timeout period expires. This effectivelyprevents users from occupying connection resources for a long time,without any operation required.

Maximumnumber ofclients that canbe connected tothe server

If the specified maximum number is smaller than the number of clientsthat are being connected to the server, the logged-in users will not be forcedoffline, and the server no longer accepts new connection requests.

Procedure




Table 4-6 Configurations of SFTP server parameters


Operation

Earlier SSH versioncompatibility

Run the ssh server compatible-ssh1x enable command.By default, an SFTP server running SSH2.0 is compatible withSSH1.X. To prevent clients running SSH1.3 to SSH1.99 to log in,run the undo ssh server compatible-ssh1x enable command todisable the system from supporting earlier SSH protocol versions.



75


Operation

Listening port numberof the SFTP server

Run the ssh server port port-number command.If a new listening port is set, the SFTP server cuts off all establishedSTelnet and SFTP connections, and then uses the new port numberto listen to connection requests. By default, the listening portnumber is 22.

Interval at which thekey pair of the SFTPserver is updated

Run the ssh server rekey-interval hours command.By default, the interval is 0, indicating that the key pair will neverbe updated.

Timeout period of anidle connection

Run the ssh server timeout seconds command.By default, the timeout period is 60 seconds.

Step 3 Run:commit


----End

4.5.4 Using SFTP to Access the SystemAfter the configuration is complete, users can log in to the device from the PC by using SFTPto manage files on the device.

ContextThe third-party software can be used to access the device from the PC by using SFTP. Use thethird-party software OpenSSH and Windows Command Prompt as an example.

After installing OpenSSH on a PC, do as follows on the PC:

NOTE

For details about how to install OpenSSH, see the installation guide of the software.

For details on how to use OpenSSH commands to log in to the system, see the help document of the software.

Procedure

Step 1 Enter the Windows Command Prompt window.

Step 2 Run relevant OpenSSH commands to log in to the device in SFTP mode.

When the command prompt of the SFTP client view is displayed, such as sftp>, you have enteredthe working path of the SFTP server, as shown in Figure 4-5.



76

Figure 4-5 Schematic diagram for the working path of the FTP server

----End

4.5.5 Using SFTP to Operate FilesAfter logging in to the SFTP server, you can manage directories and files on the server.

ContextAfter logging in to the SFTP server, you can perform the following operations:

l Obtain command helps on the SFTP client.l Manage directories on the SFTP server.l Manage files on the SFTP server.

Procedure



Step 2 Run:sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]



77

The SFTP client view is displayed. You have successfully logged in to the SSH server by usingSFTP.


Table 4-7 File operation


Managingdirectories

Changing the user'sworking directory

Run the cd [ remote-directory ] command.

Changing the user'sworking directory to theparent directory


Displaying the user'sworking directory


Displaying files in thedirectory and the list ofsub-directories

Run the dir / ls [ remote-directory ] command.

Deleting directories onthe server

Run the rmdir remote-directory & <1-10>command.

Creating a directory onthe server

Run the mkdir remote-directory command.

Managingfiles

Renaming a file on theserver

Run the rename old-name new-name command.

Downloading files froma remote server

Run the get remote-filename [ local-filename ]command.

Uploading files to aremote server

Run the put local-filename [ remote-filename ]command.

Deleting files from theserver

Run the remove path &<1-10> command.

Displaying command helps on theSFTP client

Run the help [ all | command-name ] command.

----End

4.5.6 Checking the ConfigurationAfter completing the configuration of file operation by using SFTP, you can view informationabout SSH users and the configuration of the SSH server.

PrerequisiteThe configuration of file operation by using SFTP are complete.



78

Procedurel Run the display ssh user-information username command on the SSH server to check

information about SSH users.l Run the display ssh server status command on the SSH server to check its configuration.l Run the display ssh server session command on the SSH server to check information about

sessions between the SSH server and SSH clients.l Run the display ssh server statistics command on the SSH server to view information

about the total number of connections accepted, denied, closed and total online connections.

----End

ExampleRun the display ssh user-information client001 command to view the authentication mode setfor the SSH user client001 is password and the service type is sftp.

<HUAWEI> display ssh user-information client001--------------------------------------Username : client001Authentication-type : passwordUser-public-key-name : -Sftp-directory : cfcard:/homeService-type : sftpAuthorization-cmd : Yes---------------------------------------------Total 1, 1 printed

Run the display ssh server status command to view configuration of the SSH server.

<HUAWEI> display ssh server statusSSH version : 2.0SSH authentication timeout : 110 secondsSSH server key generating interval : 2 hoursSSH version 1.x compatibility : DisableSSH server keep alive : EnableSFTP server : DisableSTELNET server : EnableSNETCONF server : DisableSSH server port : 1025

NOTE

If the default listening port is in use, information about the current listening port is not displayed.

Run the display ssh server session command to view information about sessions between theSSH server and SSH clients.

<HUAWEI> display ssh server sessionSession : 2Conn : SFTP 0Version : 2.0State : startedUsername : client002Retry : 1CTOS Cipher : aes128-cbcSTOC Cipher : aes128-cbcCTOS Hmac : hmac-md5STOC Hmac : hmac-md5Kex : diffie-hellman-group-exchange-sha1Service Type : sftpAuthentication Type : password

Run the display ssh server statistics command to view the current statistics information of theSSH server.



79

<HUAWEI> display ssh server statistics----------------------------------Total connection accepted : 1Total connection denied by ACL : 2Total connection denied by CLI : 0Total connection denied by AAA : 3Total connection denied by Netconf : 1Total connection closed by CLI : 1Total connection closed by Netconf : 4Total connection closed by sock : 3Total online connection : 5----------------------------------------

4.6 Configuration ExamplesThis section provides configuration examples for operating files after logging in to the systemor by using FTP or SFTP. These configuration examples explain networking requirements,configuration roadmap, and precautions.

4.6.1 Example for Operating Files After Logging In to the SystemThis example describes how to log in to the system to view directories and copy files.

For detailed configurations about operating files after logging in to the system, see OperatingFiles After Logging In to the System.

4.6.2 Example for Using FTP to Operate FilesFiles can be uploaded and downloaded by using FTP.

Networking RequirementsAs devices operate stably and are deployed in large scopes, more and more devices need to bemaintained and upgraded remotely. Online software upgrade, as a new upgrade method byloading software packages remotely, facilitates remote online upgrade, reduces upgradeexpenditure, shortens the time that customers wait for upgrade, and improves customers'satisfaction. In real world situations, the delay, packet loss, and jitter affect data transmissionon networks. To guarantee the quality of online upgrade and data transmission, use FTP toperform online upgrade and transfer files based on TCP connections.

As shown in Figure 4-6, after the FTP server function is enabled on the router, you can log into the FTP server from the HyperTerminal to upload or download files.

Figure 4-6 Networking diagram for operating files by using FTP

GE0/0/010.137.217.221/16Network

PC FTP Server

PrecautionsThe IP address of the FTP server must be configured on the MEth interface.



80


1. Configure the IP address of the FTP server.2. Enable the FTP server function.3. Configure the authentication information, authorization mode, and directories to be

accessed for an FTP user.4. Log in to the FTP server by using the correct user name and password.5. Upload files to or download files from the FTP server.


l IP address of the FTP server: 10.137.217.221l FTP user information (user name: huawei, password: huawei)l Path on which the file to be uploaded is saved and the path on which the file to be

downloaded is saved

Procedure

Step 1 Configure the IP address of the FTP server.<HUAWEI> system-view[~HUAWEI] sysname server[~HUAWEI] commit[~server] interface gigabitethernet0/0/0[~server-GigabitEthernet0/0/0] undo shutdown[~server-GigabitEthernet0/0/0] ip address 10.137.217.221 255.255.0.0[~server-GigabitEthernet0/0/0] quit[~server] commit

Step 2 Enable the FTP server function.[~server] ftp server enable[~server] commit

Step 3 Configure the authentication information, authorization mode, and authorized directories for anFTP user on the FTP server.[~server] aaa[~server-aaa] local-user huawei password simple huawei[~server-aaa] local-user huawei service-type ftp[~server-aaa] local-user huawei ftp-directory cfcard:/[~server-aaa] quit[~server] commit

Step 4 Run the ftp commands at the Windows Command Prompt, and enter the correct user name andpassword to set tup an FTP connection to the FTP server, as shown in Figure 4-7.



81

Figure 4-7 Logging in to the FTP server

Step 5 Upload a file from the terminal to the server and downloading a file from the server, as shownin Figure 4-8.

Figure 4-8 Operating files by using FTP

NOTEYou can run the dir command before downloading a file or after uploading a file to view the detailedinformation about the file.

----End

Configuration Filesl Configuration file of the FTP server

#sysname server#aaa local-user huawei password simple huawei local-user huawei ftp-directory cfcard:/ local-user huawei service-type ftp # authentication-scheme default # authorization-scheme default #



82

accounting-scheme default#interface GigabitEthernet0/0/0 undo shutdown ip address 10.137.217.221 255.255.0.0#ftp server enable#adminreturn

4.6.3 Example for Using SFTP to Operate FilesIn this example, a local key pair is configured on the SSH server, and a user name and a passwordare configured on the server for an SSH user. After the SFTP server function is enabled on theserver and the SFTP client is connected to the server, you can operate files between the clientand the server.

Networking RequirementsAs devices operate stably and are deployed in large scopes, more and more devices need to bemaintained and upgraded remotely. Online software upgrade, as a new upgrade method byloading software packages remotely, facilitates remote online upgrade, reduces upgradeexpenditure, shortens the time that customers wait for upgrade, and improves customers'satisfaction. FTP is usually used to transmit data for online upgrade. FTP transmits data andeven user names and passwords in plain text, bringing security risks.

SFTP enables users to log in to a remote device securely from PCs to manage files. This improvesthe security of data transmission for remote upgrade. In addition, the device can function as anSFTP client. This allows users that have logged in to the device to access other remote devicesto transfer files and perform online upgrade by using SFTP.

As shown in Figure 4-9, after the SFTP server function is enabled on the router that functionsas an SSH server, you can log in to the server in password, RSA, password-RSA, or allauthentication mode from a PC that functions as an SFTP client.

Figure 4-9 Networking diagram for operating files by using SFTP

GE0/0/010.137.217.225/16Network

PC SSH Server

PrecautionsThe IP address of the SSH server must be configured on the MEth interface.


1. Configure a local key pair on the SSH server, allowing secure data transmission betweenthe client and the server.

2. Configure VTY user interfaces on the SSH server.



83

3. Configure an SSH user, including the user authentication mode, user name, password, andauthorized directory.

4. Enable the SFTP server function on the SSH server and configure the service type.


l SSH user authentication mode: password; user name: client001; password: huaweil User level of client001: 3l IP address of the SSH server: 10.137.217.225

Procedure

Step 1 Configure the IP address of the FTP server.<HUAWEI> system-view[~HUAWEI] sysname SSH Server[~HUAWEI] commit[~SSH Server] interface gigabitethernet0/0/0[~SSH Server-GigabitEthernet0/0/0] undo shutdown[~SSH Server-GigabitEthernet0/0/0] ip address 10.137.217.225 255.255.0.0[~SSH Server-GigabitEthernet0/0/0] quit[~SSH Server] commit

Step 2 Configure a local key pair on the SSH server.[~SSH Server] rsa local-key-pair createThe key name will be: SSH Server_HostThe range of public key size is (512 ~ 2048).NOTE: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus [default = 512] :

Step 3 Configure the SSH user name and password on the SSH server.[~SSH Server] aaa[~SSH Server-aaa] local-user client001 password cipher huawei[~SSH Server-aaa] local-user client001 level 3[~SSH Server-aaa] local-user client001 service-type ssh[~SSH Server-aaa] quit[~SSH Server] commit

Step 4 Enable the SFTP server function and set the service type to SFTP.[~SSH Server] sftp server enable[~SSH Server] ssh user client001 authentication-type password[~SSH Server] commit

Step 5 Configure the authorized directory for the SSH user.[~SSH Server] ssh user client001 service-type sftp[~SSH Server] commit


# Access the SFTP server by using the OpenSSH software.



84

Figure 4-10 Schematic diagram for accessing the SFTP server by using the OpenSSH software

----End

Configuration file of the SSH server#sysname SSH Server#sftp server enablessh user client001ssh user client001 authentication-type passwordssh user client001 service-type sftp#aaa local-user client001 password cipher N`C55QK<`=/Q=^Q`MAF4<1!! local-user client001 level 3 local-user client001 service-type ssh # authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default#interface GigabitEthernet0/0/0 undo shutdown ip address 10.137.217.225 255.255.0.0

#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh

#adminreturn



85

5 Accessing Other Devices

About This Chapter

To operate files on other devices, and manage or configure these devices, access the device byusing Telnet, STelnet, TFTP, FTP, or SFTP from the device that you have logged in to.

5.1 OverviewYou can log in to one device and access another device by using Telnet, FTP, TFTP, or SFTP.

5.2 Using Telnet to Log In to Other DevicesTelnet helps users to log in to remote devices to manage and maintain the devices.

5.3 Using STelnet to Log In to Other DevicesSTelnet provides secure Telnet services. You can use STelnet to log in to other devices from thedevice that you have logged in to, and manage the remote devices.

5.4 Using TFTP to Access Other DevicesTFTP is used to transfer files between remote server and local hosts. Unlike FTP, TFTP is simple,providing no authentication. It is applicable to scenarios without complicated interactionsbetween the client and the server.

5.5 Using FTP to Access Other DevicesYou can log in to an FTP server on the network from the device that functions as an FTP clientto upload files to or download files from the server.

5.6 Using SFTP to Access Other DevicesSFTP provides a secure FTP service. The device is configured as an SFTP client. The SFTPserver authenticates the client and encrypts data in both directions to provide secure file transfer.

5.7 Configuration ExamplesThis section provides examples for configuring one device to access other devices. Theseconfiguration examples explain networking requirements, configuration roadmap, andprecautions.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - Basic Configurations 5 Accessing Other Devices


86

5.1 OverviewYou can log in to one device and access another device by using Telnet, FTP, TFTP, or SFTP.

As shown in Figure 5-1, after you use the terminal emulator or Telnet program on a PC toconnect to the router successfully, the router can still function as a client to help you access otherdevices on the network by using Telnet, FTP, TFTP, or SFTP.

Figure 5-1 Schematic diagram for accessing other devices

PC Telnet client Telnet server

IPNetwork

UserNetwork

Telnet OverviewTelnet is an application layer protocol in the TCP/IP protocol suite. Telnet provides remote loginand virtual terminal services. The NE5000E provides the following Telnet services:

l Telnet server: A user runs the Telnet client program on a PC to log in to the router toconfigure and manage the router. The router functions as a Telnet server.

l Telnet client: After using the terminal emulator or Telnet client program on a PC to connectto the router, a user runs the telnet command to log in to another device for configurationand management. The router functions as a Telnet client. In Figure 5-2, the CE functionsas both a Telnet server and a Telnet client.

Figure 5-2 Telnet server providing the Telnet client service

PC CE PETelnet server


l Telnet service interruption

Figure 5-3 Usage of Telnet shortcut keys

P2 P3Telnet server

P1Telnet client




87

Two pairs of shortcut keys can be used to interrupt Telnet connections. As shown in Figure5-3, P1 uses Telnet to log in to P2 and then to P3. P1 is the Telnet client of P2. P2 is theTelnet client of P3. The usage of shortcut keys is described as follows:– Ctrl_]: Instructs the server to disconnect a Telnet connection.

If the shortcut keys Ctrl_] are used when the network works properly, the Telnet serverinterrupts the current Telnet connection.For example, enter Ctrl_] on P3, and the P2 prompt is displayed.<P3> Select Ctrl_] to return to the prompt of P2The connection was closed by the remote host.<P2> Select Ctrl_] to return to the prompt of P1<P2> Ctrl_]The connection was closed by the remote host.<P1>

NOTE

If the network connection is disconnected, shortcut keys do not take effect.

– Ctrl_K: Instructs the client to disconnect the connection.When the server fails and the client is unaware of the failure, the server does not respondto the client for input. In this case, if you select Ctrl_K, the Telnet client interrupts theconnection and quits the Telnet connection.For example, select Ctrl_K on P3 to quit the Telnet connection.<P3> Select Ctrl_K to abort<P1>

CAUTIONWhen the number of remote login users reaches the maximum number of VTY userinterfaces, the system prompts subsequent users with a message, indicating that all userinterfaces are in use and no more Telnet connections are allowed.

FTPFTP is a standard application protocol based on the TCP/IP protocol suite. It is used to transferfiles between local clients and remote servers. FTP uses two TCP connections to copy a filefrom one system to another. The TCP connections are usually established in client-server mode,one for control (the server port number is 21) and the other for data transmission (the sever portnumber is 20).l Control connection: issues commands from the client to the server and transmits replies

from the server to the client, minimizing the transmission delay.l Data connection: transmits data between the client and server, maximizing the throughput.

FTP has two file transfer modes:l Binary mode: is used to transfer program files, such as .app, .bin, and .btm files.l ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.

The device provides the following FTP functions:l FTP client: Users can use the terminal emulator or the Telnet program to connect PCs to

the device, and run the ftp command to establish a connection between the device and aremote FTP server to access and operate files on the server.



88

l FTP server: Users can use the FTP client program to log in to the device and operate fileson the device.Before users log in, the network administrator must configure an IP address for the FTPserver.

TFTP

TFTP is an application protocol based on User Datagram Protocol (UDP) connections. It usesthe UDP port number 69 to transfer files between local hosts and remote servers. Unlike FTP,TFTP is simple, providing no authentication. It is applicable to scenarios where complicatedinteractions between clients and the server are not required.

TFTP supports both binary and ASCII file transfer modes, which are also supported by FTP.

NOTE

l Currently, the HUAWEI NetEngine5000E supports only the binary mode for TFTP.

l Currently, the HUAWEI NetEngine5000E can function only as a TFTP client but not a TFTP server.

TFTP transfer requests are initiated by clients:

l When a TFTP client needs to download files from the server, the client sends a read requestto the TFTP server. The server sends data packets to the client, and the client acknowledgesthe data packets.

l When a TFTP client needs to upload a file to the server, the client sends a write requestand then data to the server, and receives acknowledgments from the server.

SFTP

SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securelylog in to the device to manage and transfer files. On the other hand, users can use the devicefunctioning as a client to log in to a remote server and transfer files securely.

When the SFTP server or the connection between the server and the client fails, the client needsto detect the fault in time and removes the connection proactively. To help the client detect sucha fault in time, configure an interval at which Keepalive packets are sent if no packet is receivedand the maximum number of times that the server does not respond for the client:

l If the client does not receive any packet within the specified period, the client sends aKeepalive packet to the server.

l If the maximum number of times that the server does not respond exceeds the specifiedvalue, the client proactively releases the connection.

5.2 Using Telnet to Log In to Other DevicesTelnet helps users to log in to remote devices to manage and maintain the devices.


A large number of devices on a network need to be managed and maintained. It is impossibleto connect each device to a terminal, especially when there is no reachable route between adevice and the terminal. To manage and maintain remote devices, you can log in to other devicesby using Telnet from the device that you have logged in to.



89

As shown in Figure 5-4, the PC can use Telnet to log in to the Telnet client. As the PC does nothave a reachable route to the Telnet server, you cannot manage the Telnet server remotely. Tomanage the Telnet server remotely, you can use the Telnet client to telnet to the Telnet server.

Figure 5-4 Networking diagram for accessing other devices

PC Telnet client Telnet server

IPNetwork

UserNetwork

Pre-configuration TasksBefore logging in to other devices by using Telnet, complete the following task:l Logging In to the System by Using Telnet.l Configuring a route to ensure that the Telnet client and server are routable.

ContextTelnet provides an interactive interface for users to log in to a remote server. You can log in toone device, and then telnet to other devices on the network to configure and manage these remotedevices, instead of connecting a terminal to each of the devices.

An IP address can be configured for an interface on the device and specified as the source IPaddress of an FTP connection for security checks.

After the source IP address is configured for the Telnet client, the source IP address of the Telnetclient displayed on the server is the same as the configured one.

Perform either of the following operations based on the type of the source IP address:

Procedurel If the source address is an IPv4 address:

Run the telnet [ -a source-ip-address | -i interface-type interface-number ] [ vpn-instance vpn-instance-name ] host-name [ port-number ] command to log in to and manageother devices.

l If the source address is an IPv6 address:

Run the telnet ipv6 ipv6-address [ -i interface-type interface-number ] [ port-number ]command to log in to and manage other devices.

----End

Checking the ConfigurationAfter logging in to other devices by using Telnet, do as follows to check the configuration.

Run the display tcp status command to view TCP connections.Established in the commandoutput indicates that a TCP connection has been established.

<HUAWEI> display tcp status



90

--------------------------------------------------------------------------------Pid/SocketID Local Addr:Port Foreign Addr:Port VPNID State --------------------------------------------------------------------------------0x80C8272F/2 0.0.0.0:23 0.0.0.0:0 42949 LISTEN0x80932727/4 0.0.0.0:22 0.0.0.0:0 42949 LISTEN0x30666bb4/9 10.137.217.222:23 10.137.217.223:53930 0 Established--------------------------------------------------------------------------------

5.3 Using STelnet to Log In to Other DevicesSTelnet provides secure Telnet services. You can use STelnet to log in to other devices from thedevice that you have logged in to, and manage the remote devices.

Applicable EnvironmentA large number of devices on a network need to be managed and maintained. It is impossibleto connect each device to a terminal, especially when there is no reachable route between adevice and the terminal. To manage and maintain remote devices, log in to other devices byusing Telnet from the device that you have logged in to. Login by using Telnet brings securityrisk because Telnet does not provide any secure authentication mechanism and data istransmitted by using TCP in plain text.

STelnet provides secure Telnet services based on SSH connections. Providing encryption andauthentication, SSH protects devices against attacks of IP address spoofing and plain textpassword interception. As shown in Figure 5-5, the HUAWEI NetEngine5000E supports theSSH function. You can log in to a remote device in SSH mode to manage and maintain thedevice. In this situation, the device that you have logged in functions as the client, and the remotedevice to be logged in is an SSH server.

Figure 5-5 Networking diagram for logging in to other devices by using STelnet

IP network

Telnet client Telnet server

Pre-configuration TasksBefore logging in to other devices by using STelnet, complete the following task:l 3.4 Logging In to the System by Using STelnet



91


Figure 5-6 Logging in to other devices by using STelnet

Enable first-time authentication on the SSH client to allow users to

successfully log in to other devices at the first time

Use Stelnet to log in to other devices

Bind the SSH client to the RSA public key generated on the SSH

server to allow users to successfully log in to other devices

at the first time

Use Stelnet to log in to other devices


5.3.1 Configuring Login to Another Device for the First Time(Enabling First-Time Authentication on the SSH Client)

After first-time authentication is enabled on the SSH client, the validity of the RSA public keyof the SSH server is not checked when the STelnet client logs in to the SSH server for the firsttime.

Context

After first-time authentication is enabled on the SSH client, the validity of the RSA public keyof the SSH server is not checked when the STelnet client logs in to the SSH server for the firsttime. After the first login, the system automatically allocates an RSA public key and saves thekey for authentication during subsequent logins.

If first-time authentication is disabled, the STelnet client cannot log in to the SSH server becausethe validity check of the RSA public key fails. If the STelnet client must successfully log in tothe SSH server at the first time, you can enable first-time authentication or configure the clientto assign an RSA public key to the server in advance. For details, see 5.3.2 Configuring Loginto Another Device for the First Time (Binding the SSH Client to the RSA Public KeyGenerated on the SSH Server)

Do as follows on the router that functions as an SSH client:

Procedure



Step 2 Run:ssh client first-time enable

Enable first-time authentication on the SSH client.

By default, first-time authentication is disabled for an SSH client.



92

Step 3 Run:commit


----End

5.3.2 Configuring Login to Another Device for the First Time(Binding the SSH Client to the RSA Public Key Generated on theSSH Server)

To allow the SSH client to successfully log in to the SSH server at the first time, configure theSSH client to assign an RSA public key to the SSH server before the login if first-timeauthentication is disabled.

ContextIf first-time authentication is disabled, the SSH client cannot log in to the SSH server becausethe validity check of the RSA public key fails. An RSA public key needs to be assigned to theserver before the SSH client logs in to the server.

The RSA public key assigned to the SSH server must be generated on the server. Otherwise, thevalidity check for the RSA public key on the SSH client cannot succeed.


Procedure



Step 2 Run:rsa peer-public-key key-name

The public key view is displayed.

Step 3 Run:public-key-code begin

The public key edit view is displayed.

Step 4 Enter hex-data to edit the public key.

The input public key must be a hexadecimal string complying with the public key format. Thepublic key is generated randomly on the SSH server.

NOTE

After entering the public key edit view, copy and paste the RSA public key generated on the server to theclient.

Step 5 Run:public-key-code end

Exit from the public key edit view.



93

If the configured public key contains invalid characters or does not comply with the public keyformat, a prompt is displayed, and the configured public key is discarded. The configurationfails. If the configured public key is valid, the key will be saved into the client public key chaintable.

l If no valid hex-data is specified, no public key will be generated.l If key-name specified in Step 2 has been deleted in another window, the system prompts an

error and returns to the system view.

Step 6 Run:peer-public-key end

Exit from the public key view, and the system view is displayed.

Step 7 Run:ssh client server-ip-address assign rsa-key key-name

The RSA public key is bound to the SSH client.

NOTE

If the public key saved on the SSH client becomes invalid, run the undo ssh client server-ip-addressassign rsa-key command to cancel the binding between the SSH client from the server, and then run thessh client server-ip-address assign rsa-key key-name command to assign an RSA public key to the client.

Step 8 Run:commit


----End

5.3.3 Using STelnet to Log In to Other DevicesYou can log in to the SSH server from the SSH client by using STelnet to configure and managethe server.

ContextThe SSH client can log in to the server without specifying the listening port number only whenthe listening port number of the server is 22. Otherwise, the listening port number must bespecified.


Procedure



Step 2 Run:stelnet [ -a source-address | -i interface-type interface-number ] host-ip-address [port-number ] [ [ prefer-kex { dh-group1 | dh-exchange-group } ] [ prefer-ctos-cipher { des | 3des | aes128 } ] [ prefer-stoc-cipher { des | 3des | aes128 } ] [ prefer-ctos-hmac { sha1 | sha1-96| md5 | md5-96 } ] [ prefer-stoc-hmac { sha1 | sha1-96 | md5 | md5-96 } ] [ -vpn-instance vpn-instance-name ] [ -ki interval [ -kc count ] ] ]*



94

The client logged in to the SSH server by using STelnet.

----End

5.3.4 Checking the ConfigurationAfter completing the configuration of log in to another device by using STelnet, you can viewmappings between SSH servers and RSA public keys on the SSH client, global configurationof SSH servers, and sessions between SSH servers and the client.

PrerequisiteThe configuration for logging in to another device by using STelnet is complete.

Procedurel Run the display ssh server-info command to check mappings between SSH servers and

RSA public keys on the client.

----End

ExampleRun the display ssh server-info command to view mappings between SSH servers and RSApublic keys on the client.

<HUAWEI> display ssh server-infoServer Name(IP) Server public key name________________________________________________________________________ 1000::1 1000::1 10.164.39.223 10.164.39.223 11.11.11.23 11.11.11.23 10.164.39.204 10.164.39.204 10.164.39.222 10.164.39.222

5.4 Using TFTP to Access Other DevicesTFTP is used to transfer files between remote server and local hosts. Unlike FTP, TFTP is simple,providing no authentication. It is applicable to scenarios without complicated interactionsbetween the client and the server.

Applicable EnvironmentIn the TCP/IP protocol suite, FTP is frequently used to transfer files. However, FTP bringscomplicated interactions between terminals and servers, which is hard to implement on terminalsthat are not installed with advanced operating systems. TFTP is designed for file transfer thatdoes not need complicated interactions between terminals and servers. It is simple, requiring afew costs. TFTP can be used only for simple file transfer without authentication.

NOTE

Currently, the HUAWEI NetEngine5000E can function only as a TFTP client but not as TFTP server.

Pre-configuration TasksBefore using TFTP to access other devices, complete the following task:



95


Configuration ProceduresYou can choose one or more configuration tasks (excluding "Checking the Configuration") asrequired.

5.4.1 Configuring the Source Address for the TFTP ClientYou can configure a source address for a TFTP client and use the source address to establish aTFTP connection, ensuring file transfer security.

ContextYou can assign an IP address to an interface on the TFTP client and use this IP address as thesource address to establish a TFTP connection. This ensures the security of file transfer.

Do as follows on the router that functions as a TFTP client:

Procedure



Step 2 Run:tftp client-source { -a ip-address | -i interface-type interface-number }

The source address of the TFTP client is configured.

NOTE

The interface type specified by interface-type must be loopback.

After configuring the source address of the TFTP client, you can find that the source address of the TFTPclient displayed on the server is the same as the configured one.

Step 3 Run:commit


----End

5.4.2 Configuring TFTP Access ControlAn ACL can be configured to allow the TFTP client to access specified TFTP servers.

ContextAn ACL is a set of sequential rules. These rules are described based on source addresses,destination addresses, and port numbers of packets. ACL rules are used to filter packets. AfterACL rules are applied to a device, the device permits or denies packets based on the ACL rules.

Multiple rules can be defined for one ACL. ACL rules are classified into interface ACL, basicACL, and advanced ACL rules based on their functions.



96

NOTE

TFTP supports only basic ACLs (from ACL 2000 to ACL 2999).

Do as follows on the router that functions as a TFTP client:

Procedure



Step 2 Run:acl acl-number

The ACL view is displayed.

Step 3 Run:rule [ rule-id ] { deny | permit } [ [ fragment | fragment-type fragment-type-name ] | logging | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ] *

An ACL rule is configured.

Step 4 Run:quit


Step 5 Run:tftp-server acl acl-number

The ACL is applied to the TFTP client to control its access to TFTP servers.

Step 6 Run:commit


----End

5.4.3 Using TFTP to Download Files from Other DevicesYou can use a specified TFTP command to download files from a remote server to the localdevice.

ContextA Virtual Private Network (VPN) is a private network. Network devices and terminals on a VPNcan be connected over the internet. After a TFTP session is established, you can specify vpn-instance-name in the TFTP command to connect to a remote TFTP server.

To download a file, the TFTP client sends a read request to the TFTP server. After receivingdata, the TFTP client sends an acknowledgment to the server.

Procedurel Run:



97

tftp [ -a source-address | -i interface-type interface-number ] host-ip-address [ vpn-instance vpn-instance-name ] get } source-filename [ destination-filename ]

A file is downloaded by using TFTP.


----End

5.4.4 Using TFTP to Upload Files to Other DevicesYou can use TFTP commands to upload files to remote servers.

ContextTo upload a file, the TFTP client sends a write request to the TFTP server. After receiving data,the TFTP client sends an acknowledgment to the server.

Procedurel Run:

tftp [ -a source-address | -i interface-type interface-number ] host-ip-address [ vpn-instance vpn-instance-name ] put } source-filename [ destination-filename ]

A file is uploaded by using TFTP.


----End

5.4.5 Checking the ConfigurationAfter completing the configuration of using TFTP to access another device, you can view thesource address of the TFTP client and configured ACL rules.

PrerequisiteThe configurations of using TFTP to access other devices are complete.

Procedurel Run the display tftp-client command to check the source address of the TFTP client.l Run the display acl { acl-number | all } command to check ACL rules configured on the

TFTP client.

----End

ExampleRun the display tftp-client command to view the source address of the TFTP client.

<HUAWEI> display tftp-client----------------------------------------------------------------------acl4Number : 0SrcIPv4Addr : 0.0.0.0Interface Name : LoopBack0----------------------------------------------------------------------



98

Run the display acl { acl-number | all } command to view ACL rules configured on the TFTPclient.

<HUAWEI> display acl 2001Basic acl 2001, 2 rulesAcl's step is 5Acl's match-order is config rule 5 permit ip source 1.1.1.1 0 (2 times matched) rule 10 permit ip source 9.9.9.9 0 (3 times matched)

5.5 Using FTP to Access Other DevicesYou can log in to an FTP server on the network from the device that functions as an FTP clientto upload files to or download files from the server.

Applicable EnvironmentWhen you need to transfer files with a remote FTP server or manage directories of the server,you can configure the current device as an FTP client and then access the FTP server by usingFTP.

Pre-configuration TasksBefore using FTP to access another device, complete the following task:l Configuring User Login


Figure 5-7 Using FTP to operate files

Configure the source address for the FTP client

Use FTP commands to connect to other devices

Change the logged-in user

Use FTP commands to operate files

Terminate the connection to the FTP server




99

5.5.1 (Optional) Configuring the Source Address for the FTP ClientYou can configure a source address for an FTP client and use the source address to establish anFTP connection, ensuring file transfer security.

ContextYou can assign an IP address to an interface on the router and use this IP address as the sourceaddress to establish an FTP connection. This ensures the security of file transfer.

Do as follows on the router that functions as an FTP client:

Procedure



Step 2 Run:ftp client-source { -a ip-address | -i interface-type interface-number }

The source address is configured.

The value of interface-type must be loopback.

After the source address of the FTP client is configured, you can run the display ftp-userscommand on the FTP server to check that the displayed source address of the FTP client is thesame as the configured one.

Step 3 Run:commit


----End

5.5.2 Using FTP to Connect the FTP Client to Other DevicesFTP commands can be used to log in to other devices from the FTP client.

ContextCommands can be run in the user or FTP client view to establish connections with remote FTPservers.

NOTE

l If the ftp command without any parameters is used in the user view to establish a control connectionto an FTP server, the FTP client view is displayed but the connection is not established.

l When using the ftp command in the user view or the open command in the FTP client view to establisha control connection to a remote FTP server, if the listening port number of the FTP server is the defaultone, you do not need to specify the listening port number in the command; otherwise, you must specifythe listening port number in the command.

Perform either of the following operations on the FTP client based on the type of IP address ofthe server:



100

Procedurel If the server has an IPv4 address, use commands listed in Table 5-1 to connect the client

to other devices.

Table 5-1 Using FTP commands to connect the FTP client to other devices

View Operation

User view Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip [ port-number ] [ vpn-instance vpn-instance-name ] ]command to establish a connection to the FTP server.

FTP clientview

Run the open { -a source-ip | -i interface-type interface-number } host-ip-address [ port-number ] [ vpn-instance vpn-instace-name ] commandto establish a connection to the FTP server.

l If the server has an IPv6 address, use commands listed in Table 5-2 to connect the clientto other devices.

Table 5-2 Using FTP commands to connect the FTP client to other devices

View Operation

User view Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-address[ port-number ] command to establish a connection to the FTP server.

FTP clientview

Run the open ipv6 [ -i interface-type interface-number ] host-ipv6-address [ port-number ] command to establish a connection to the FTPserver.

----End

5.5.3 Using FTP to Operate FilesAfter logging in to an FTP server, you can use FTP commands to operate files, includingconfiguring the file transfer mode, viewing online helps about FTP commands, uploading files,managing directories, and managing files.

Procedure

Step 1 Perform either of the following steps on the client, based on the type of IP address of the server:

l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip[ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address toestablish a connection to the FTP server and enter the FTP client view.





101

Table 5-3 File operations


Managing files

Configuring thefile type

l Run the ascii command to set the file type to ASCII.l Run the binary command to set the file type to binary.The FTP file type is determined by the client. By default,the ASCII type is used.

Configuring thedata connectionmode

l Run the passive command to set the data connectionmode to PASV.

l Run the undo passive command to set the dataconnection mode to ACTIVE.

By default, the PASV mode is used.

Uploading files l Run the put local-filename [ remote-filename ]command to upload a file from the local device to aremote server.

l Run the mput local-filenames command to upload filesfrom the local device to a remote server.

Downloadingfiles

l Run the get remote-filename [ local-filename ] commandto download a file from a remote server and save the fileon the local device.

l Run the mget remote-filenames command to downloadfiles from a remote server and save the files on the localdevice.

Enabling the filetransfer promptfunction

l If the prompt command is run in the FTP client view toenable the file transfer prompt function, the systemprompts you to confirm the uploading or downloadingoperation during file uploading or downloading.

l If the prompt command is run again in the FTP clientview, the file transfer prompt function is disabled.

NOTEThe prompt command is applicable to the scenario where themput or mget command is used to upload or download files. If thelocal device has the files to be downloaded by running the mgetcommand, the system prompts you to override the existing onesregardless of whether the file transfer prompt function is enabled.

Enabling the FTPverbose function

Run the verbose command.After the verbose function is enabled, all FTP responseinformation is displayed. After file transfer is complete,statistics about the transmission rate are displayed.

Managingdirectories

Changing theworking path of aremote FTP server

Run the cd pathname command.



102


Changing theworking path of anFTP server to theparent directory


Displaying theworking path of anFTP server


Displaying files ina directory and thelist of sub-directories

Run the dir [ remote-directory [ local-filename ] ] command.If no path name is specified for a specified remote file, thesystem will search the file in the authorized directory of theuser.

Displaying aspecified remotedirectory or file onan FTP server

Run the ls [ remote-directory [ local-filename ] ] command.

Displaying orchanging theworking path of anFTP client

Run the lcd [ directory ] command.The lcd command displays the local working path of the FTPclient, while the pwd command displays the working pathof the remote FTP server.

Creating adirectory on anFTP server

Run the mkdir remote-directory command.The directory can be a combination of letters and numbers,excluding special characters such as "<", ">", "?", "\", or ":".

Deleting adirectory from anFTP server

Run the rmdir remote-directory command.

Displaying online help for anFTP command

Run the remotehelp [ command ] command.

Changing an FTP user Run the user username [ password ] command.

----End

5.5.4 (Optional) Changing the User LoginYou can allow users with different rights to log in.

ContextAfter the device function as an FTP client and establish a connection to an FTP server, you canchange the logged-in user to allow users with different rights to access the server. Changinglogged-in users does not affect established FTP connections. FTP control and data connectionsand the connection status do not change.

If the input user name or password of the new user is incorrect, established connections isdisconnected. To access the server, the user must again log in to the FTP client.



103

NOTE

After logging in to the HUAWEI NetEngine5000E, you can log in to the FTP server by using another username without logging out of the FTP client view. The established FTP connection is identical with thatestablished by running the ftp command.

Procedure




Step 2 Run:user user-name [ password ]

The logged-in user is changed. Another user logs in to access the FTP server.

After the logged-in user is changed, the connection between the original user and the FTP serveris disconnected.

Step 3 Run:commit


----End

5.5.5 Terminating a Connection to the FTP ServerTo save system resources and ensure successful logins of valid users to the FTP server, terminateconnections to the FTP server.

Context

After the number of users logging in to an FTP server reaches the upper limit, no more validusers can log in. To allow valid users to log in to the FTP server, terminate idle connections tothe FTP server.

Procedure




Step 2 Perform either of the following operations as needed to terminate an FTP connection.



104

l Run the bye/quit command to terminate the connection to the FTP server and return to theuser view.

l Run the close/disconnect command to terminate both the connection to the FTP server andthe FTP session but remain in the FTP client view.

----End

5.5.6 Checking the ConfigurationAfter completing the configuration of accessing other devices by using FTP, you can view theparameters configured on the FTP client.

PrerequisiteThe configurations of accessing other devices by using FTP are complete.

Procedurel Run the display ftp-client command to check the source address of the FTP client.

----End

ExampleAfter configuring the source IP address of the FTP client, run the display ftp-client commandto view the configuration.

<HUAWEI> display ftp-client-----------------------------------------SrcIPv4Addr : 10.1.1.1Interface Name :-----------------------------------------

After configuring the loopback interface of the FTP client, run the display ftp-client commandto view the configuration.

<HUAWEI> display ftp-client-----------------------------------------SrcIPv4Addr : 0.0.0.0Interface Name : LoopBack0-----------------------------------------

5.6 Using SFTP to Access Other DevicesSFTP provides a secure FTP service. The device is configured as an SFTP client. The SFTPserver authenticates the client and encrypts data in both directions to provide secure file transfer.

Applicable EnvironmentSFTP is short for SSH FTP. Based on SSH, SFTP ensures that users log in to a remote devicesecurely to manage and transfer files, enhancing secure file transfer. As the device can functionas an SFTP client, you can log in to a remote SSH server from the device to transfer files securely.

Pre-configuration TasksBefore using SFTP to access other devices, complete the following task:



105

l Configuring a route between the client and the server to make them routable


Figure 5-8 Using SFTP to access other devices

Enable first-time authentication on the SSH client to allow users to

successfully log in to the system at the first time

Configure the source address for the SFTP client

Use SFTP to log in to other devices


Bind the RSA public key generated on the SSH server to the SSH client to allow users to successfully log in to the system

at the first time

Configure the source address for the SFTP client

Use SFTP to log in to other devices



5.6.1 (Optional) Configuring the Source Address for the SFTPClient

You can configure a source address for an SFTP client and use the source address to establishan SFTP connection, ensuring file transfer security.

Context

You can assign an IP address to an interface on the SFTP client and use this IP address as thesource address to establish an SFTP connection. This ensures the security of file transfer

The source address for an SFTP client can be a source interface or a source IP address.

Do as follows on the device functioning as an SFTP client:

Procedure



Step 2 Run:sftp client-source { -a source-ip-address | -i interface-type interface-number }

The source address of the SFTP client is configured.



106

Step 3 Run:commit


----End

5.6.2 Configuring Login to Another Device for the First Time(Enabling First-Time Authentication on the SSH Client)

After first-time authentication is enabled on the SSH client, the validity of the RSA public keyof the SSH server is not checked when the SFTP client logs in to the SSH server for the firsttime.

ContextAfter first-time authentication is enabled on the SSH client, the validity of the RSA public keyof the SSH server is not checked when the SFTP client logs in to the SSH server for the firsttime. After the first login, the system automatically allocates an RSA public key and saves thekey for authentication during subsequent logins.


ProcedureStep 1 Run:

system-view


Step 2 Run:ssh client first-time enable

Enable first-time authentication on the SSH client.

By default, first-time authentication is disabled for an SSH client.

Step 3 Run:commit


----End

5.6.3 Configuring Login to Another Device for the First Time(Binding the SSH Client to the RSA Public Key Generated on theSSH Server)

If first-time authentication is disabled on the SSH client, assign an RSA public key to the SSHserver before the SFTP (SSH) client logs in to the server.

ContextIf first-time authentication is disabled, the SFTP client cannot log in to the SSH server becausethe validity check of the RSA public key fails. Therefore, you need to assign an RSA public keyto the server before the SFTP client logs in to the server.



107


Procedure



Step 2 Run:rsa peer-public-key key-name

The public key view is displayed.

Step 3 Run:public-key-code begin

The public key edit view is displayed.

Step 4 Enter hex-data to edit the public key.

The input public key must be a hexadecimal string complying with the public key format. Thepublic key is generated randomly on the SSH server.

NOTE

After entering the public key edit view, copy and paste the RSA public key generated on the server to theclient.

Step 5 Run:public-key-code end

Exit from the public key edit view.

If the configured public key contains invalid characters or does not comply with the public keyformat, a prompt is displayed, and the configured public key is discarded. The configurationfails. If the configured public key is valid, the key will be saved into the client public key chaintable.

l If no valid hex-data is specified, no public key will be generated.l If key-name specified in Step 2 has been deleted in another window, the system prompts an

error and returns to the system view.

Step 6 Run:peer-public-key end

Exit from the public key view, and the system view is displayed.

Step 7 Run:ssh client server-ip-address assign rsa-key key-name

The RSA public key is bound to the SSH client.

NOTE

If the public key saved on the SSH client becomes invalid, run the undo ssh client server-ip-addressassign rsa-key command to cancel the binding between the SSH client from the server, and then run thessh client server-ip-address assign rsa-key key-name command to assign an RSA public key to the client.

Step 8 Run:commit



108


----End

5.6.4 Using SFTP to Connect the SSH Client to the SSH ServerYou can log in to an SSH server from an SSH client by using SFTP.

ContextThe command used to enable the SFTP client is similar to the command used to enable theSTelnet client. Both commands can carry the source address, key exchange algorithm,encryption algorithm, HMAC algorithm, and Keepalive interval.

Do as follows on the device that functions as an SSH client:

Procedure





Step 3 Run:commit


----End

5.6.5 Using SFTP to Operate FilesYou can manage directories and files of the SSH server on the SFTP client, and view help forall SFTP commands on the SFTP client.

ContextAfter logging in to the SSH server from the SFTP client, you can perform the followingoperations on the SFTP client:

l Create and delete directories of the SSH server; view the current working directory; viewfiles in a directory and the list of sub-directories.

l Rename, delete, upload, and download files.l View command help on the SFTP client.




109

Procedure






Table 5-4 File operation


Managingdirectories

Changing the user'sworking directory

Run the cd [ remote-directory ] command.

Changing the user'sworking directory to theparent directory


Displaying the user'sworking directory


Displaying files in thedirectory and the list ofsub-directories

Run the dir / ls [ remote-directory ] command.

Deleting directories onthe server

Run the rmdir remote-directory & <1-10>command.

Creating a directory onthe server

Run the mkdir remote-directory command.

Managingfiles

Renaming a file on theserver

Run the rename old-name new-name command.

Downloading files froma remote server

Run the get remote-filename [ local-filename ]command.

Uploading files to aremote server

Run the put local-filename [ remote-filename ]command.

Deleting files from theserver

Run the remove path &<1-10> command.

Displaying command helps on theSFTP client

Run the help [ all | command-name ] command.



110

----End

5.6.6 Checking the ConfigurationAfter completing the configuration of using SFTP to access other devices, you can view thesource address of the SSH client, mappings between SSH servers and RSA public keys on theclient, global configurations of the SSH servers, and sessions between the SSH servers and theclient.

PrerequisiteThe configurations of using SFTP to access other devices are complete.

Procedurel Run the display sftp-client command to check the source address of the SSH client.l Run the display ssh server-info command to check mappings between SSH servers and

RSA public keys on the client.

----End

ExampleRun the display sftp-client command on the client to view parameters about the SFTP client.<HUAWEI> display sftp-clientThe source address of SFTP client is 1.1.1.1

Run the display ssh server-info command to view mappings between servers and RSA publickeys on the client.<HUAWEI> display ssh server-infoServer Name(IP) Server public key name________________________________________________________________________ 1000::1 1000::1 10.1.1.1 10.1.1.1 100.1.1.23 100.1.1.23 10.164.1.1 10.164.1.1 10.164.1.2 10.164.1.2

5.7 Configuration ExamplesThis section provides examples for configuring one device to access other devices. Theseconfiguration examples explain networking requirements, configuration roadmap, andprecautions.

5.7.1 Example for Using Telnet to Log In to Other DevicesThis example shows how to log in to another device by using Telnet. You can configure the userauthentication mode and password to log in to another device by using Telnet.

Networking RequirementsA large number of devices on a network need to be managed and maintained. It is impossibleto connect each device to a terminal, especially when there is no reachable route between a



111

device and the terminal. To manage and maintain remote devices, you can log in to other devicesby using Telnet from the device that you have logged in to.

As shown in Figure 5-9, a user can telnet to P1 but cannot directly telnet to P2. P1 and P2 areroutable. The user logs in to P1, and then telnet to P2 to remotely configure and manage P2.

Figure 5-9 Networking diagram for using Telnet to log in to another device

Network Network

PC P1 P2

Session Session

GE1/0/12.1.1.1/24

GE1/0/11.1.1.1/24

Precautionsl P1 and P2 must be routable.l The user must be able to log in to P1.


1. Configure the Telnet authentication mode and password on P2.2. Log in to P2 from P1.


l Host address of P2: 2.1.1.1l Authentication mode: password (password: hello)

Procedure

Step 1 Configure the Telnet authentication mode and password.<HUAWEI> system-view[~HUAWEI] sysname P2[~HUAWEI] commit[~P2] user-interface vty 0 4[~P2-ui-vty0-4] authentication-mode password[~P2-ui-vty0-4] set authentication password simple hello[~P2-ui-vty0-4] commit[~P2-ui-vty0-4] quit

If an ACL is configured to access other devices by using Telnet, do as follows on P2:

[~P2] acl 2000[~P2-acl-basic-2000] rule permit source 1.1.1.1 0



112

[~P2-acl-basic-2000] quit[~P2] user-interface vty 0 4[~P2-ui-vty0-4] acl 2000 inbound[~P2-ui-vty0-4] commit[~P2-ui-vty0-4] quit

NOTE

It is optional to configure an ACL for Telnet services.


After the configurations are complete, the user can telnet from P1 to P2.

<HUAWEI> system-view[~HUAWEI] sysname P1[~HUAWEI] commit[~P1] quit<P1> telnet 2.1.1.1Trying 2.1.1.1Press CTRL+K to abortConnected to 2.1.1.1Username: rootPassword:<P2>

----End

Configuration Filesl Configuration file of P1

#sysname P1#interface gigabitethernet1/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0#adminreturn

l Configuration file of P2#sysname P2#acl number 2000 rule 5 permit source 1.1.1.1 0#interface gigabitethernet1/0/1 undo shutdown ip address 2.1.1.1 255.255.255.0#user-interface vty 0 4 set authentication password simple hello acl 2000 inbound#adminreturn

5.7.2 Example for Using STelnet to Log In to Other DevicesThis example shows how to log in to another device by using STelnet. To allow the STelnetclient to connect to the SSH server, configure the client and server to generate local key pairs,configure the server to generate an RSA public key, and bind the public key to the client.



113

Networking RequirementsA large number of devices on a network need to be managed and maintained. It is impossibleto connect each device to a terminal, especially when there is no reachable route between adevice and the terminal. To manage and maintain remote devices, log in to other devices byusing Telnet from the device that you have logged in to. Login by using Telnet brings securityrisk because Telnet does not provide any secure authentication mechanism and data istransmitted by using TCP in plain text.

STelnet provides secure Telnet services based on SSH connections. Providing encryption andauthentication, SSH protects devices against attacks of IP address spoofing and plain textpassword interception. As shown in Figure 5-10, after the STelnet server function is enabledon the SSH server, the STelnet client can log in to the SSH server in the authentication mode ofpassword, RSA, password-RSA, or all.

Figure 5-10 Networking diagram for logging in to another device by using STelnet

Client 001

SSH Server

Client 002

GE0/0/01.1.1.1/16

GE0/0/01.1.2.2/16

GE0/0/01.1.3.3/16

PrecautionsTwo users client001 and client002 are configured to log in to the SSH server in the authenticationmode of password and RSA respectively.


1. Configure users client001 and client002 on the SSH server to use different authenticationmodes to log in to the SSH server.

2. Configure client002 and the SSH server to generate local key pairs, and bind client002 tothe RSA public key of the SSH server to authenticate the client when the client attempts tolog in to the server.

3. Enable the STelnet server function on the SSH server.4. Set the service type of client001 and client002 to STelnet.5. Enable first-time authentication on the SSH client.6. Client001 and client002 log in to the SSH server by using STelnet.




114

l Client001: password authentication (password: huawei)l Client002: RSA authentication (public key: RsaKey001)l IP address of the SSH server: 1.1.1.1

Procedure

Step 1 Configure the server to generate a local key pair.<HUAWEI> system-view[~HUAWEI] sysname SSH Server[~HUAWEI] commit[~SSH Server] rsa local-key-pair createThe key name will be: SSH Server_HostThe range of public key size is (512 ~ 2048).NOTE: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus [default = 512] : 1024

Step 2 Create SSH users on the server.

NOTE

There are four authentication modes for SSH users: password, RSA, password-RSA, and all.

l If the authentication mode is password or password-RSA, configure a local user on the server with thesame user name.

l If the authentication mode is RSA, password-RSA, or all, save the RSA public key generated on theSSH client to the server.

# Configure VTY user interfaces.

[~SSH Server] user-interface vty 0 4[~SSH Server-ui-vty0-4] authentication-mode aaa[~SSH Server-ui-vty0-4] protocol inbound ssh[~SSH Server-ui-vty0-4] user privilege level 5[~SSH Server-ui-vty0-4] commit[~SSH Server-ui-vty0-4] quit

l Create an SSH user named client001.# Create an SSH user named client001 and configure password authentication for the user.[~SSH Server] ssh user client001[~SSH Server] ssh user client001 authentication-type password[~SSH Server] commit# Set the password of client001 to huawei.[~SSH Server] aaa[~SSH Server-aaa] local-user client001 password simple huawei[~SSH Server-aaa] local-user client001 service-type ssh[~SSH Server-aaa] commit[~SSH Server-aaa] quit

l Create an SSH user named client002.# Create an SSH user named client002 and configure RSA authentication for the user.[~SSH Server] ssh user client002[~SSH Server] ssh user client002 authentication-type rsa[~SSH Server] commit

Step 3 Configure an RSA public key for the server.

# Configure client002 to generate a local key pair.

<HUAWEI> system-view[~HUAWEI] sysname client002[~HUAWEI] commit[~client002] rsa local-key-pair create



115

The key name will be: client002_HostNOTE: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus [default = 512] : 1024[~client002] commit

# Check the RSA public key generated on the client.

[~client002] display rsa local-key-pair public======================Host Key==========================Time of Key pair created : 13:22:1 2010/10/25Key Name : VRPV8_HostKey Type : RSA Encryption Key========================================================Key Code:

308188 028180 B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD 0203 010001

Host Public Key for PEM format Code: ---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw9825XYSkri89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn+8J1LffkxRmHF4uMNk1X3QqiSqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIXGJb7H/w4zQ==---- END SSH2 PUBLIC KEY ----

Public key code for pasting into OpenSSH authorized_keys file: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw9825XYSkri89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn+8J1LffkxRmHF4uMNk1X3QqiSqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIXGJb7H/w4zQ== rsa-key

Host Public key for SSH1 format code: 1024 65537 125048203250833642388841080101906750228075076456213955541037945628567573103988800864515116082212188211715628656374631408471571024221094769443635936192463776051473454419198804475247192440223714532116284962605275170186238175974546133321165741031171160914926309797395278974490949461701171569544048167828558985421

======================Server Key========================Time of Key pair created : 13:22:1 2010/10/25Key Name : VRPV8_ServerKey Type : RSA Encryption Key========================================================Key Code: 3067 0260 BDCEC48F 1EDA55AF 80C71881 CF22D6A4 02682F2F E50035C8 E1539F1F 9EB3FCAC 2BFEF147 EEF59F23 7270C3DD 22135C16 AAC236DE EFBF9865 E50D8D26 B7651BCB 6D87BC2B 96559C38 04FC034B 54CFE7B3 2B1BBA18 A96FFC29 EF70069D DD1EE053 0203 010001

# Copy the RSA public key generated on the client to the server.

[~SSH Server] rsa peer-public-key rsakey001Enter "RSA public key" view, return system view with "peer-public-key end".



116

[~SSH Server-rsa-public-key] public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".[~SSH Server-rsa-public-key-rsa-key-code] 308188[~SSH Server-rsa-public-key-rsa-key-code] 028180[~SSH Server-rsa-public-key-rsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB[~SSH Server-rsa-public-key-rsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F[~SSH Server-rsa-public-key-rsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B[~SSH Server-rsa-public-key-rsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5[~SSH Server-rsa-public-key-rsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931[~SSH Server-rsa-public-key-rsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2[~SSH Server-rsa-public-key-rsa-key-code] 171896FB 1FFC38CD[~SSH Server-rsa-public-key-rsa-key-code] 0203[~SSH Server-rsa-public-key-rsa-key-code] 010001[~SSH Server-rsa-public-key-rsa-key-code] public-key-code end[~SSH Server-rsa-public-key] peer-public-key end[~SSH Server] commit

Step 4 Bind the RSA public key to client002.[~SSH Server] ssh user client002 assign rsa-key RsaKey001[~SSH Server] commit

Step 5 Enable the STelnet server function on the SSH server.

# Enable the STelnet server function.

[~SSH Server] stelnet server enable[~SSH Server] commit

Step 6 Set the service type of client001 and client002 to STelnet.[~SSH Server] ssh user client001 service-type stelnet[~SSH Server] ssh user client002 service-type stelnet[~SSH Server] commit

Step 7 Connect STelnet clients to the SSH server.

# If the client logs in to the server for the first time, enable first-time authentication on the client.

Enable first-time authentication on client001.

<HUAWEI> system-view[~HUAWEI] sysname client001[~HUAWEI] commit[~client001] ssh client first-time enable[~client001] commit


[~client002] ssh client first-time enable[~client002] commit

# Client001 logs in to the SSH server in password authentication mode by entering the user nameand password.

[~client001] stelnet 1.1.1.1Please input the username:client001Trying 1.1.1.1 ...Press CTRL+K to abortConnected to 1.1.1.1 ...The server is not authenticated. Continue to access it?(Y/N):ySave the server's public key?(Y/N):yThe server's public key will be saved with the name 1.1.1.1. Please wait...Enter password:



117

Enter the password huawei, and information indicating a successful login is displayed asfollows:

Info: The max number of VTY users is 20, and the number of current VTY users on line is 6. The current login time is 2011-01-06 11:42:42.<SSH Server>

# Client002 logs in to the SSH server in RSA authentication mode.

[~client002] stelnet 1.1.1.1Please input the username: client002Trying 1.1.1.1 ...Press CTRL+K to abortConnected to 1.1.1.1 ... The server is not authenticated. Continue to access it?(Y/N):ySave the server's public key?(Y/N):yThe server's public key will be saved with the name 1.1.1.1. Please wait... Info: The max number of VTY users is 20, and the number of current VTY users on line is 6. The current login time is 2011-01-06 11:42:42.<SSH Server>

If the login succeeds, the user view is displayed. If the login fails, the message Session isdisconnected is displayed.


After the configuration is complete, run the display ssh server status, display ssh serversession and display ssh server statistics commands on the SSH server. You can find that theSTelnet server function has been enabled, and the STelnet client has logged in to the serversuccessfully.

# Check the status of the SSH server.

[~SSH Server] display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server : Disable Stelnet server : Enable

# Check the connection to the SSH server.

[~SSH Server] display ssh server sessionSession : 1Conn : VTY 3Version : 2.0State : startedUsername : client001Retry : 1CTOS Cipher : aes128-cbcSTOC Cipher : aes128-cbcCTOS Hmac : hmac-sha1-96STOC Hmac : hmac-sha1-96Kex : diffie-hellman-group-exchange-sha1Service Type : stelnetAuthentication Type : password

Session : 2Conn : VTY 4Version : 2.0State : startedUsername : client002Retry : 1CTOS Cipher : aes128-cbcSTOC Cipher : aes128-cbc



118

CTOS Hmac : hmac-sha1-96STOC Hmac : hmac-sha1-96Kex : diffie-hellman-group-exchange-sha1Service Type : stelnetAuthentication Type : rsa

# Check the current statistics information of the SSH server.

[~SSH Server] display ssh server statistics----------------------------------Total connection accepted : 1Total connection denied by ACL : 2Total connection denied by CLI : 0Total connection denied by AAA : 3Total connection denied by Netconf : 1Total connection closed by CLI : 1Total connection closed by Netconf : 4Total connection closed by sock : 3Total online connection : 5---------------------------------------

# Check information about SSH users.

[~SSH Server] display ssh user-information----------------------------------------------------Username : client001Authentication-type : passwordUser-public-key-name : -Sftp-directory : cfcard:Service-type : stelnet

Username : client002Authentication-type : rsaUser-public-key-name : rsakey001Sftp-directory : -Service-type : stelnet----------------------------------------------------

----End


# sysname SSH Server#rsa peer-public-key rsakey001public-key-code begin308188 028180 B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD 0203 010001public-key-code endpeer-public-key end#stelnet server enablessh user client001ssh user client001 authentication-type passwordssh user client001 service-type stelnetssh user client002ssh user client002 assign rsa-key rsakey001ssh user client002 authentication-type rsassh user client002 service-type stelnet#



119

aaa local-user client001 password simple huawei local-user client001 service-type ssh # authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#adminreturn

l Configuration file of client001# sysname client001#interface GigabitEthernet0/0/0 ip address 1.1.2.2 255.255.255.0#ssh client first-time enable#adminreturn

l Configuration file of client002# sysname client002#interface GigabitEthernet0/0/0 ip address 1.1.3.3 255.255.255.0#ssh client first-time enable#adminreturn

5.7.3 Example for Using TFTP to Access Other DeviceYou can run the TFTP software on the TFTP server and set the directory of source files on theserver to upload and download files.

Networking RequirementsIn the TCP/IP protocol suite, FTP is frequently used to transfer files. However, FTP bringscomplicated interactions between terminals and servers, which is hard to implement on terminalsthat are not installed with advanced operating systems. TFTP is designed for file transfer thatdoes not need complicated interactions between terminals and servers. It is simple, requiring afew costs. TFTP can be used only for simple file transfer without authentication.

As shown in Figure 5-11, a user logs in to the TFTP client from a PC, and upload files to anddownload files from the TFTP server.



120

Figure 5-11 Networking diagram for accessing another device by using TFTP

PC TFTP Client TFTP Server

10.111.16.160/24


1. Run the TFTP software on the TFTP server and set the directory of source files on theserver.

2. Use TFTP commands on the TFTP client to download files.3. Use TFTP commands on the TFTP client to upload files.


l TFTP software to be installed on the TFTP serverl Name of the file to be downloaded and path of the file on the TFTP serverl Name of the file to be uploaded and path of the file on the TFTP client

ProcedureStep 1 Enable the TFTP server function.

Enter the directory in which the file to be downloaded resides on the TFTP server in the CurrentDirectory column, as shown in Figure 5-12.

Figure 5-12 Setting the current directory on the TFTP server



121

NOTE

The displayed window may vary with the TFTP software.

Run the tftpservermt command on the client to enter the TFTP server path and run the followingcommand:

/home/tftpservermt # ./tftpserver -v -i tftpserver.iniTFTP Server MultiThreaded Version 1.61 Unix Built 1611starting TFTP...username: rootalias / is mapped to /home/permitted clients: allserver port range: allmax blksize: 65464default blksize: 512default timeout: 3file read allowed: Yesfile create allowed: Yesfile overwrite allowed: Yesthread pool size: 1listening on: 0.0.0.0:69Accepting requests..

Step 2 Log in to the TFTP client from the HyperTerminal to download a file.<HUAWEI> tftp 10.18.26.141 get a.txt cfcard:/b.txtWarning: cfcard:/b.txt exists, overwrite? Please select[Y/N]:yTransfer file in binary mode.Please wait for a while.../3338 bytes transferredFile transfer completed


Run the dir command on the TFTP client to view the directory in which the downloaded file issaved.

<HUAWEI> dir

Directory of 0/17#cfcard:/

Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw- 3,338 Jan 25 2011 09:27:41 b.txt 1 -rw- 103,265,123 Jan 25 2011 06:49:07 VRPV800R002C00B020D0123.cc 2 -rw- 92,766,274 Jan 25 2011 06:49:10 VRPV800R002C00SPC007B008D1012.cc

109,867,396 KB total (102,926,652 KB free)

Step 4 Log in to the TFTP client from the HyperTerminal to upload a file.<HUAWEI> tftp 10.111.16.160 put sample.txt Info: Transfer file in binary mode.Please wait for a while...\ 100% [***********]File transfer completed

----End

Configuration Files

None.



122

5.7.4 Example for Using FTP to Access Other DevicesYou can log in to the FTP server from the FTP client to download system software from the FTPserver and configuration the software on the client.

Networking RequirementsWhen you need to transfer files with a remote FTP server or manage directories of the server,you can configure the current device as an FTP client and then access the FTP server by usingFTP.

As shown in Figure 5-13, the FTP client and server are routable. You can log in to the FTPserver from the FTP client to download system software from the FTP server and configure thesoftware on the client.

Figure 5-13 Networking diagram for accessing another device by using FTP

FTP Client FTP Server

GE1/0/12.1.1.1/24

GE1/0/11.1.1.1/24Network


1. Configure the user name and password for an FTP user to log in to the FTP server and thedirectory that the user will access.

2. Enable the FTP server function.3. Run login commands to log in to the FTP server.4. Configure the file transfer mode and working directory to allow the client to download files

from the server.


l User name: huawei; password: 123l IP address of the FTP server: 1.1.1.1l Name of the file to be downloaded and directory of the file

Procedure

Step 1 Configure an FTP user on the FTP server.<HUAWEI> system-view[~HUAWEI] aaa[~HUAWEI-aaa] local-user huawei password simple 123[~HUAWEI-aaa] local-user huawei service-type ftp[~HUAWEI-aaa] local-user huawei ftp-directory cfcard:/



123

[~HUAWEI-aaa] commit[~HUAWEI-aaa] quit

Step 2 Enable the FTP server function.[~HUAWEI] ftp server enable[~HUAWEI] commit[~HUAWEI] quit

Step 3 Log in to the FTP server from the FTP client.<HUAWEI> ftp 1.1.1.1Trying 1.1.1.1 ...Press CTRL+K to abortConnected to 1.1.1.1.220 FTP service ready.User(1.1.1.1:(none)):huawei331 Password required for huawei.Enter password:230 User logged in. [ftp]

Step 4 Set the file transfer mode to dir and the working directory to new_dir:/ on the FTP client.[ftp] binary200 Type set to I.[ftp] lcd new_dir:/The current local directory is new_dir:. [ftp] commit

Step 5 Download the latest system software from the FTP server on the FTP client.[ftp] get VRPV800R002C00B020D0123.cc200 Port command okay.150 Opening BINARY mode data connection for VRPV800R002C00B020D0123.cc.226 Transfer complete.FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.[ftp] quit

Run the dir command to check whether the required file has been downloaded to the client.

----End

Configuration Filesl Configuration file on the FTP server

#aaa local-user huawei password simple 123 local-user huawei ftp-directory cfcard:/ local-user huawei service-type ftp # authentication-scheme default # authorization-scheme default # accounting-scheme default#interface GigabitEthernet1/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0#ftp server enable#adminreturn

l Configuration file on the FTP client#interface GigabitEthernet1/0/1



124

undo shutdown ip address 2.1.1.1 255.255.255.0#adminreturn

5.7.5 Example for Using SFTP to Access Other DevicesTo allow the SFTP client to connect to the SSH server, configure the client and server to generatelocal key pairs, configure the client to generate an RSA public key, send the public key to theserver, and bind the public key to the client.

Networking RequirementsSFTP is based on SSH connections. SFTP ensures that users log in to a remote device securelyto manage and transfer files, enhancing secure file transfer. As the device can function as anSFTP client, you can log in to a remote SSH server from the device to transfer files securely.

As shown in Figure 5-14, after the SFTP server function is enabled on the SSH server, the SFTPclient can log in to the SSH server in the authentication mode of password, RSA, password-RSA, or all.

Figure 5-14 Networking diagram for access another device by using SFTP

Client 001

SSH Server

Client 002

GE0/0/01.1.1.1/16

GE0/0/01.1.2.2/16

GE0/0/01.1.3.3/16




3. Enable the SFTP server function on the SSH server.4. Configure the service type and authorized directory for the SSH users.5. Client001 and client002 log in to the SSH server chain SFTP mode to obtain files on the

server.




125

l Client001: password authentication (password: huawei)l Client002: RSA authentication (public key: RsaKey001)l IP address of the SSH server: 1.1.1.1

Procedure

Step 1 Configure the server to generate a local key pair.<HUAWEI> system-view[~HUAWEI] sysname SSH Server[~HUAWEI] commit[~SSH Server] rsa local-key-pair createThe key name will be: SSH Server_HostThe range of public key size is (512 ~ 2048).NOTE: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus [default = 512] :


NOTE




l Create an SSH user named client001.# Create an SSH user named client001 and configure password authentication for the user.[~SSH Server] ssh user client001[~SSH Server] ssh user client001 authentication-type password[~SSH Server] commit# Set the password of client001 to huawei.[~SSH Server] aaa[~SSH Server-aaa] local-user client001 password simple huawei[~SSH Server-aaa] local-user client001 service-type ssh[~SSH Server-aaa] commit[~SSH Server-aaa] quit

l Create an SSH user named client002.# Create an SSH user named client002 and configure RSA authentication for the user.[~SSH Server] ssh user client002[~SSH Server] ssh user client002 authentication-type rsa[~SSH Server] commit

Step 3 Configure the RSA public key on the server.

# Configure the client to generate a local key pair.

<HUAWEI> system-view[~HUAWEI] sysname client002[~HUAWEI] commit[~client002] rsa local-key-pair createThe key name will be: client002_HostNOTE: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus [default = 512] : 1024[~client002] commit


[~client002] display rsa local-key-pair public



126

======================Host Key==========================Time of Key pair created : 13:22:1 2010/10/25Key Name : VRPV8_HostKey Type : RSA Encryption Key========================================================Key Code:

308188 028180 B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD 0203 010001

Host Public Key for PEM format Code: ---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw9825XYSkri89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn+8J1LffkxRmHF4uMNk1X3QqiSqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIXGJb7H/w4zQ==---- END SSH2 PUBLIC KEY ----

Public key code for pasting into OpenSSH authorized_keys file: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw9825XYSkri89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn+8J1LffkxRmHF4uMNk1X3QqiSqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIXGJb7H/w4zQ== rsa-key

Host Public key for SSH1 format code: 1024 65537 125048203250833642388841080101906750228075076456213955541037945628567573103988800864515116082212188211715628656374631408471571024221094769443635936192463776051473454419198804475247192440223714532116284962605275170186238175974546133321165741031171160914926309797395278974490949461701171569544048167828558985421

======================Server Key========================Time of Key pair created : 13:22:1 2010/10/25Key Name : VRPV8_ServerKey Type : RSA Encryption Key========================================================Key Code: 3067 0260 BDCEC48F 1EDA55AF 80C71881 CF22D6A4 02682F2F E50035C8 E1539F1F 9EB3FCAC 2BFEF147 EEF59F23 7270C3DD 22135C16 AAC236DE EFBF9865 E50D8D26 B7651BCB 6D87BC2B 96559C38 04FC034B 54CFE7B3 2B1BBA18 A96FFC29 EF70069D DD1EE053 0203 010001


[~SSH Server] rsa peer-public-key RsaKey001Enter "RSA public key" view, return system view with "peer-public-key end".[~SSH Server-rsa-public-key] public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".[~SSH Server-rsa-key-code] 3047[~SSH Server-rsa-key-code] 0240[~SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB[~SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8[~SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43[~SSH Server-rsa-key-code] 1D7E3E1B[~SSH Server-rsa-key-code] 0203



127

[~SSH Server-rsa-key-code] 010001[~SSH Server-rsa-key-code] public-key-code end[~SSH Server-rsa-public-key] peer-public-key end[~SSH Server] commit

Step 4 Bind the RSA public key to client002.[~SSH Server] ssh user client002 assign rsa-key RsaKey001[~SSH Server] commit

Step 5 Enable the SFTP server function on the SSH server.

# Enable the SFTP server function.[~SSH Server] sftp server enable[~SSH Server] commit

Step 6 Configure the service type and authorized directory for the SSH users.

Two SSH users are configured on the SSH server: client001 in password authentication modeand client002 in RSA authentication mode.[~SSH Server] ssh user client001 service-type sftp[~SSH Server] ssh user client001 sftp-directory cfcard:[~SSH Server] ssh user client002 service-type sftp[~SSH Server] ssh user client002 sftp-directory cfcard:

Step 7 Connect the SFTP client to the SSH server.


Enable first-time authentication on client001.<HUAWEI> system-view[~HUAWEI] sysname client001[~HUAWEI] commit[~client001] ssh client first-time enable[~client001] commit

Enable first-time authentication on client002.[~client002] ssh client first-time enable[~client002] commit

# Client001 logs in to the SSH server in password authentication mode.[~client001] sftp 1.1.1.1Please input the username:client001Trying 1.1.1.1 ...Press CTRL+K to abortThe server is not authenticated. Continue to access it? [Y/N] :y Save the server's public key? [Y/N] : yThe server's public key will be saved with the name 1.1.1.1. Please waitEnter password:

# Client002 logs in to the SSH server in RSA authentication mode.[~client002] sftp 1.1.1.1Please input the username: client002Trying 1.1.1.1 ...Press CTRL+K to abortThe server is not authenticated. Continue to access it? [Y/N] :y Save the server's public key? [Y/N] :y The server's public key will be saved with the name 1.1.1.1. Please wait.


After the configuration is complete, run the display ssh server status, display ssh serversession and display ssh server statistics commands on the SSH server. You can find that theSFTP server function has been enabled, and the SFTP client has logged in to the server.



128


[~SSH Server] display ssh server statusSSH version : 1.99SSH connection timeout : 60 secondsSSH server key generating interval : 0 hoursSSH Authentication retries : 3 timesSFTP server: Enable Stelnet server: Disable


[~SSH Server] display ssh server sessionSession : 1Conn : SFTP 3Version : 2.0State : startedUsername : client001Retry : 1CTOS Cipher : aes128-cbcSTOC Cipher : aes128-cbcCTOS Hmac : hmac-sha1-96STOC Hmac : hmac-sha1-96Kex : diffie-hellman-group-exchange-sha1Service Type : sftpAuthentication Type : password

Session : 2Conn : SFTP 4Version : 2.0State : startedUsername : client002Retry : 1CTOS Cipher : aes128-cbcSTOC Cipher : aes128-cbcCTOS Hmac : hmac-sha1-96STOC Hmac : hmac-sha1-96Kex : diffie-hellman-group-exchange-sha1Service Type : sftpAuthentication Type : rsa


[~SSH Server] display ssh server statistics----------------------------------Total connection accepted : 1Total connection denied by ACL : 2Total connection denied by CLI : 0Total connection denied by AAA : 3Total connection denied by Netconf : 1Total connection closed by CLI : 1Total connection closed by Netconf : 4Total connection closed by sock : 3Total online connection : 5---------------------------------------

# Check information about SSH users.

[~SSH Server] display ssh user-information----------------------------------------------------Username : client001Authentication-type : passwordUser-public-key-name : -Sftp-directory : cfcard:Service-type : sftp

Username : client002Authentication-type : rsaUser-public-key-name : rsakey001Sftp-directory : -



129

Service-type : sftp----------------------------------------------------

----End


# sysname SSH Server#rsa peer-public-key rsakey001public-key-code begin3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001public-key-code endpeer-public-key end#sftp server enablessh user client001ssh user client001 authentication-type passwordssh user client001 sftp-directory cfcard:ssh user client001 service-type sftpssh user client002ssh user client002 assign rsa-key rsakey001ssh user client002 authentication-type rsassh user client002 sftp-directory cfcard:ssh user client002 service-type sftp#aaa local-user client001 password simple huawei local-user client001 service-type ssh # authentication-scheme default # authorization-scheme default # accounting-scheme default#interface GigabitEthernet0/0/0 undo shutdown ip address 1.1.1.1 255.255.0.0#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#adminreturn

l Configuration file of client001# sysname client001#interface GigabitEthernet0/0/0 undo shutdown ip address 1.1.2.2 255.255.0.0# ssh client first-time enable#adminreturn

l Configuration file of client002



130

# sysname client002#interface GigabitEthernet0/0/0 undo shutdownip address 1.1.3.3 255.255.0.0# ssh client first-time enable#adminreturn

5.7.6 Example for Accessing the SSH Server by Using a Non-defaultListening Port Number

A non-default listening port number can be configured for the SSH server to allow only validusers to establish SSH connections with the server.


The default SSH listening port number is 22. If attackers continuously access this port, bandwidthresources are consumed and performance of the server deteriorates. As a result, valid userscannot access the server.

If the listening port number of the SSH server is changed to a non-default one, attackers do notknow the change and continue to send requests for socket connections to port 22. The SSH serverdenies the connection requests because the listening port number is incorrect.

Valid users can set up socket connections with the SSH server by using the new listening portnumber to implement the following functions: negotiate the version of the SSH protocol,negotiate the algorithm, generate the session key, authenticate, send the session request, andattend the session.

Figure 5-15 Example for accessing the SSH server by using a non-default listening port number

Client 001

SSH Server

Client 002

GE0/0/01.1.1.1/16

GE0/0/01.1.2.2/16

GE0/0/01.1.3.3/16






131


3. Enable the STelnet and SFTP server functions on the SSH server.4. Configure the service type and authorized directory for the SSH users.5. Configure a non-default listening port number of the SSH server to allow only valid users

to access the server.6. Client001 and client002 log in to the SSH server by using STelnet and SFTP respectively.


l Client001: password authentication (password: huawei) and STelnet service typel Client002: RSA authentication (public key: RsaKey001) and SFTP service typel IP address of the SSH server: 1.1.1.1l Listening port number of the SSH server: 1025

Procedure

Step 1 Configure the server to generate a local key pair.<HUAWEI> system-view[~HUAWEI] sysname client002[~HUAWEI] rsa local-key-pair createThe key name will be: client002_HostThe range of public key size is (512 ~ 2048).NOTE: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus [default = 512] : 1024[~SSH Server] commit



<HUAWEI> system-view[~HUAWEI] sysname client002[~HUAWEI] commit[~client002] rsa local-key-pair create[~client002] commit


[~client002] display rsa local-key-pair public=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_HostKey type: RSA encryption Key=====================================================Key code:3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001Host public key for PEM format code:---- BEGIN SSH2 PUBLIC KEY ----



132

AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b---- END SSH2 PUBLIC KEY ----Public key code for pasting into OpenSSH authorized_keys file :ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key=====================================================Time of Key pair created: 16:38:51 2007/5/25Key name: client002_ServerKey type: RSA encryption Key=====================================================Key code:3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001


[~SSH Server] rsa peer-public-key RsaKey001Enter "RSA public key" view, return system view with "peer-public-key end".[~SSH Server-rsa-public-key] public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".[~SSH Server-rsa-key-code] 3047[~SSH Server-rsa-key-code] 0240[~SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB[~SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8[~SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43[~SSH Server-rsa-key-code] 1D7E3E1B[~SSH Server-rsa-key-code] 0203[~SSH Server-rsa-key-code] 010001[~SSH Server-rsa-key-code] public-key-code end[~SSH Server-rsa-public-key] peer-public-key end[~SSH Server-rsa-public-key] commit


NOTE





[~SSH Server] user-interface vty 0 4[~SSH Server-ui-vty0-4] authentication-mode aaa[~SSH Server-ui-vty0-4] protocol inbound ssh[~SSH Server-ui-vty0-4] commit [~SSH Server-ui-vty0-4] quitl Create an SSH user named client001.

# Create an SSH user named client001 and configure password authentication for the user.[~SSH Server] ssh user client001[~SSH Server] ssh user client001 authentication-type password[~SSH Server] commit# Set the password of client001 to huawei.[~SSH Server] aaa[~SSH Server-aaa] local-user client001 password simple huawei[~SSH Server-aaa] local-user client001 service-type ssh



133

[~SSH Server-aaa] commit[~SSH Server-aaa] quit# Set the service type of client001 to STelnet.[~SSH Server] ssh user client001 service-type stelnet

l Create an SSH user named client002.# Create an SSH user named client002, configure RSA authentication for the user, and bindthe RSA public key to client002.[~SSH Server] ssh user client002[~SSH Server] ssh user client002 authentication-type rsa[~SSH Server] ssh user client002 assign rsa-key RsaKey001[~SSH Server] commit# Set the service type of client002 to SFTP and configure the authorized directory for theuser.[~SSH Server] ssh user client002 service-type sftp[~SSH Server] ssh user client002 sftp-directory cfcard:[~SSH Server] commit

Step 4 Enable the STelnet and SFTP server functions on the SSH server.[~SSH Server] stelnet server enable[~SSH Server] sftp server enable[~SSH Server] commit

Step 5 Configure a new listening port number on the SSH server.[~SSH Server] ssh server port 1025

Step 6 Connect the SSH client and the SSH server.



<HUAWEI> system-view[~HUAWEI] sysname client001[~HUAWEI] commit[~client001] ssh client first-time enable[~client001] commit


[~client002] ssh client first-time enable[~client002] commit

# The STelnet client logs in to the SSH server by using the new listening port number.

[~client001] stelnet 1.1.1.1 1025Please input the username:client001Trying 1.1.1.1 ...Press CTRL+K to abortConnected to 1.1.1.1 ...The server is not authenticated. Continue to access it?(Y/N):ySave the server's public key?(Y/N):yThe server's public key will be saved with the name 1.1.1.1. Please wait...Enter password:


Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. <SSH Server>

# The SFTP client logs in to the SSH server by using the new listening port number.

[~client002] sftp 1.1.1.1 1025



134

Please input the username:client002Trying 1.1.1.1 ...Press CTRL+K to abortThe server is not authenticated. Continue to access it?(Y/N):ySave the server's public key?(Y/N):yThe server's public key will be saved with the name 1.1.1.1. Please wait...sftp-client>


Attackers fail to log in to the SSH server using the default listening port number 22.

[~client002] sftp 1.1.1.1Please input the username:client002Trying 1.1.1.1 ...Press CTRL+K to abortError: Failed to connect to the server.

After the configuration is complete, run the display ssh server status, display ssh serversession and display ssh server statistics commands on the SSH server. The current listeningport number of the SSH server can be displayed in the command output. The command outputalso shows that the STelnet or SFTP client has logged in to the server successfully.


[~SSH Server] display ssh server statusSSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server : Enable STELNET server : Enable SSH server port : 1025


[~SSH Server] display ssh server sessionSession : 1Conn : VTY 3Version : 2.0State : startedUsername : client001Retry : 1CTOS Cipher : aes128-cbcSTOC Cipher : aes128-cbcCTOS Hmac : hmac-sha1-96STOC Hmac : hmac-sha1-96Kex : diffie-hellman-group1-sha1Service Type : stelnetAuthentication Type : password

Session : 2Conn : VTY 4Version : 2.0State : startedUsername : client002Retry : 1CTOS Cipher : aes128-cbcSTOC Cipher : aes128-cbcCTOS Hmac : hmac-sha1-96STOC Hmac : hmac-sha1-96Kex : diffie-hellman-group1-sha1Service Type : sftpAuthentication Type : rsa


[~SSH Server] display ssh server statistics



135

----------------------------------Total connection accepted : 1Total connection denied by ACL : 2Total connection denied by CLI : 0Total connection denied by AAA : 3Total connection denied by Netconf : 1Total connection closed by CLI : 1Total connection closed by Netconf : 4Total connection closed by sock : 3Total online connection : 5---------------------------------------

----End


# sysname SSH Server#rsa peer-public-key rsakey001public-key-code begin308188 028180 B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD 0203 010001public-key-code endpeer-public-key end#ssh server port 1025stelnet server enablesftp server enablessh user client001ssh user client001 authentication-type passwordssh user client001 service-type stelnetssh user client002ssh user client002 assign rsa-key rsakey001ssh user client002 authentication-type rsassh user client002 sftp-directory cfcard:ssh user client002 service-type sftp#aaa local-user client001 password simple huawei local-user client001 service-type ssh # authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default#interface GigabitEthernet0/0/0 undo shutdown ip address 1.1.1.1 255.255.0.0#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#adminreturn



136

l Configuration file of client001# sysname client001#interface GigabitEthernet0/0/0 undo shutdownip address 1.1.2.2 255.255.0.0#ssh client first-time enable#adminreturn

l Configuration file of client002# sysname client002#interface GigabitEthernet0/0/0 undo shutdown ip address 1.1.3.3 255.255.0.0#ssh client first-time enable#adminreturn

5.7.7 Example for Configuring SSH Clients on the Public Networkto Access an SSH Server on a Private Network

This example shows how to configure an SSH client on the public network to access an SSHserver on a private network. You can configure SSH-related attributes for public users to allowthem to access devices on private networks in STelnet or SFTP mode.

Networking RequirementsAs shown in Figure 5-16, PE1 is an SSH client located on the MPLS backbone network, andCE1 functions as an SSH server located on the private network with the AS number of 65410.It is required that public network users securely access and manage CE1 after logging in to PE1.



137

Figure 5-16 Networking diagram for configuring an SSH client on the public network to accessan SSH server on a private network

PE1(SSH

Client)POS1/0/1

100.1.1.2/30GE1/0/110.1.1.2/24

Loopback11.1.1.9/32

Loopback13.3.3.9/32

Loopback12.2.2.9/32

POS1/0/1100.1.1.1/30

POS1/0/2200.1.1.1/30 GE1/0/1

10.1.2.2/24

POS1/0/1200.1.1.2/30

MPLS BackboneAS:100

PE2

P

GE1/0/110.1.1.1/24

GE1/0/110.1.2.1/24CE1

(SSHserver)

CE2

VPN Site VPN Site



1. Configure a VPN instance on PE1 to allow CE1 to access PE1.2. Set up EBGP peer relationships between PEs and CEs and import VPN routes.3. Configure client002 and the SSH server to generate local key pairs, and bind client002 to

the RSA public key of the SSH server to authenticate the client when the client attempts tolog in to the server.

4. Enable the STelnet and SFTP server functions on the SSH server.5. Configure client001 to access CE1 by using STelnet and client002 by using SFTP.

Data Preparation

To complete the configuration, you need the following data:

l Name of the VPN instance on the PEs: vpn1l VPN target on the PEs: 111:1l IP address of PE1: 10.1.1.2; IP address of PE2: 10.1.2.2l Client001: password authentication (password: huawei)l Client002: RSA authentication (public key: RsaKey001)l IP address of CE1: 10.1.1.1

Procedure

Step 1 Configure the MPLS backbone network.



138

Configure an IGP to allow PEs and the P on the MPLS backbone network to communicate witheach other. Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs onthe MPLS backbone network.

For detailed configurations, see the configuration files in this example.

Step 2 Configure VPN instances on PEs and connect CEs to PEs.

# Configure PE1.

[~PE1] ip vpn-instance vpn1[~PE1-vpn-instance-vpn1] route-distinguisher 100:1[~PE1-vpn-instance-vpn1] vpn-target 111:1 both[~PE1-vpn-instance-vpn1] quit[~PE1] interface gigabitethernet 1/0/1[~PE1-GigabitEthernet1/0/1] ip binding vpn-instance vpn1[~PE1-GigabitEthernet1/0/1] undo shutdown[~PE1-GigabitEthernet1/0/1] ip address 10.1.1.2 24[~PE1-GigabitEthernet1/0/1] quit[~PE1] commit

# Configure PE2.

[~PE2] ip vpn-instance vpn1[~PE2-vpn-instance-vpn1] route-distinguisher 200:1[~PE2-vpn-instance-vpn1] vpn-target 111:1 both[~PE2-vpn-instance-vpn1] quit[~PE2] interface gigabitethernet 1/0/1[~PE2-GigabitEthernet1/0/1] ip binding vpn-instance vpn1[~PE2-GigabitEthernet1/0/1] undo shutdown[~PE2-GigabitEthernet1/0/1] ip address 10.1.2.2 24[~PE2-GigabitEthernet1/0/1] quit[~PE2] commit

# Configure IP addresses for interfaces on CEs based on Figure 5-16. The configuration detailsare not provided here.

After the configuration is complete, run the display ip vpn-instance verbose command on PEs.You can view the configurations of VPN instances. Each PE can successfully ping its connectedCE.

NOTE

When there are multiple interfaces on a PE bound to the same VPN instance, specify the source address inthe ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command to ping the CEconnected to the peer PE. Otherwise, the ping may fail.

Use the display on PE1 and CE1 as an example.

[~PE1] display ip vpn-instance verbose Total VPN-Instances configured : 1 VPN-Instance Name and ID : vpn1, 1 Create date : 2007/06/08 11:42:58 Up time : 0 days, 00 hours, 03 minutes and 27 seconds Route Distinguisher : 100:1 Export VPN Targets : 111:1 Import VPN Targets : 111:1 Label policy : label per route The diffserv-mode Information is : uniform The ttl-mode Information is : uniform Interfaces : GigabitEthernet2/0/0[~PE1] ping -vpn-instance vpn1 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=260 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=70 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=60 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=60 ms



139

Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=90 ms --- 10.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 60/108/260 ms

Step 3 Establish EBGP peer relationships between the PEs and the CEs to import VPN routes.

# Configure CE1.

[~CE1] bgp 65410[~CE1-bgp] peer 10.1.1.2 as-number 100[~CE1-bgp] import-route direct[~CE1-bgp] quit[~CE1] commit

# Configure PE1.

[~PE1] bgp 100[~PE1-bgp] ipv4-family vpn-instance vpn1[~PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410[~PE1-bgp-vpn1] import-route direct[~PE1-bgp-vpn1] quit[~PE1-bgp] quit[~PE1] commit

# Configure CE2.

[~CE2] bgp 65420[~CE2-bgp] peer 10.1.2.2 as-number 100[~CE2-bgp] import-route direct[~CE2-bgp] quit[~CE2-bgp] commit

# Configure PE2.

[~PE2] bgp 100[~PE2-bgp] ipv4-family vpn-instance vpn1[~PE2-bgp-vpn1] peer 10.1.2.1 as-number 65420[~PE2-bgp-vpn1] import-route direct[~PE2-bgp-vpn1] quit[~PE2-bgp] quit[~PE2-bgp] commit

After the configuration is complete, run the display bgp vpnv4 vpn-instance peer commandon PEs. You can find that the EBGP peer relationships between PEs and the CEs are in theEstablished state.

Use the peer relationship between PE1 and CE1 as an example.

[~PE1] display bgp vpnv4 vpn-instance vpn1 peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 10.1.1.1 4 65410 3 3 0 00:00:37 Established 1

# Set up an MP-IBGP peer relationship between PEs.

For detailed configurations, see the configuration files in this example.

Step 4 Configure the server to generate a local key pair.[~CE1] rsa local-key-pair createThe key name will be: CE1_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.



140

Input the bits in the modulus[default = 512]: 768Generating keys...[~CE1] commit



[~PE1] rsa local-key-pair createThe key name will be: PE1_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]: 768Generating keys...[~PE1] commit


[~PE1] display rsa local-key-pair public=====================================================Time of Key pair created: 12:02:09 2007/6/8Key name: PE1_HostKey type: RSA encryption Key=====================================================Key code:3047 0240 BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376 87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695 8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D E2EE8EB5 0203 010001 Host public key for PEM format code:---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg72x/w0h8F2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61---- END SSH2 PUBLIC KEY ----Public key code for pasting into OpenSSH authorized_keys file :ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg72x/w0h8F2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61 rsa-key=====================================================Time of Key pair created: 12:02:09 2007/6/8Key name: PE1_ServerKey type: RSA encryption Key=====================================================Key code:3067 0260 9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F 23AC8DE2 BDB58E1E D46856B5 419CAEDF 3A33DD40 278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437 D720D3D8 9A3F9DE5 4FE062DF F2DC443E 9092A0F4 970B8CC9 C8684678 CF0682F3 6301F5F3 0203 010001


[~CE1] rsa peer-public-key RsaKey001Enter "RSA public key" view, return system view with "peer-public-key end".[~CE1-rsa-public-key] public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".[~CE1-rsa-key-code] 3067[~CE1-rsa-key-code] 0240[~CE1-rsa-key-code] BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376[~CE1-rsa-key-code] 87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695[~CE1-rsa-key-code] 8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D[~CE1-rsa-key-code] E2EE8EB5



141

[~CE1-rsa-key-code] 0203[~CE1-rsa-key-code] 010001[~CE1-rsa-key-code] public-key-code end[~CE1-rsa-public-key] peer-public-key end[~CE1-rsa-public-key] quit[~CE1] commit


NOTE





[~CE1] user-interface vty 0 4[~CE1-ui-vty0-4] authentication-mode aaa[~CE1-ui-vty0-4] protocol inbound ssh[~CE1-ui-vty0-4] commit[~CE1-ui-vty0-4] quit

l Create an SSH user named client001.# Create an SSH user named client001 and configure password authentication for the user.[~CE1] ssh user client001[~CE1] ssh user client001 authentication-type password# Set the password of client001 to huawei.[~CE1] aaa[~CE1-aaa] local-user client001 password simple huawei[~CE1-aaa] local-user client001 service-type ssh[~CE1-aaa] quit# Set the service type of client001 to STelnet.[~CE1] ssh user client001 service-type stelnet

l # Create an SSH user named client002, configure RSA authentication for the user, and bindthe RSA public key to client002.[~CE1] ssh user client002[~CE1] ssh user client002 authentication-type rsa[~CE1] ssh user client002 assign rsa-key RsaKey001# Set the service type of client002 to SFTP and configure the authorized directory for theuser.[~CE1] ssh user client002 service-type sftp[~CE1] ssh user client002 sftp-directory cfcard:[~CE1] commit

Step 7 Enable the STelnet and SFTP server functions on the SSH server.[~CE1] stelnet server enable[~CE1] sftp server enable[~CE1] commit

Step 8 Configure PE1 (the SSH client) to log in to CE1 (the SSH server).


[~PE1] ssh client first-time enable[~PE1] commit

# Use STelnet to log in to the SSH server.

[~PE1] stelnet 10.1.1.1 -vpn-instance vpn1



142

Please input the username:client001Trying 10.1.1.1 ...Press CTRL+K to abortConnected to 10.1.1.1 ...The server is not authenticated. Do you continue to access it?(Y/N):yDo you want to save the server's public key?(Y/N):yThe server's public key will be saved with the name:10.1.1.1. Please wait...Enter password:


Info: The max number of VTY users is 10, and the current number of VTY users on line is 1.<CE1>

# Use SFTP to log in to the SSH server.

[~PE1] sftp 10.1.1.1 -vpn-instance vpn1Please input the username:client002Trying 10.1.1.1 ...Press CTRL+K to abortThe server is not authenticated. Do you continue to access it?(Y/N):yDo you want to save the server's public key?(Y/N):yThe server's public key will be saved with the name:10.1.1.1. Please wait...

After the login succeeds, the following information is displayed, and you can operate files byusing FTP.

<sftp-client>


After the configuration is complete, run the display this command in the interface view on PE1.You can find that the VPN instance has been successfully configured. Run the display ssh serversession and display ssh server statistics command on CE1. You can find that the STelnet orSFTP client has been successfully connected to the SSH server.


[~PE1] display ssh server sessionSession : 1Conn : VTY 0Version : 2.0State : startedUsername : client001Retry : 1CTOS Cipher : aes128-cbcSTOC Cipher : aes128-cbcCTOS Hmac : hmac-sha1-96STOC Hmac : hmac-sha1-96Kex : diffie-hellman-group1-sha1Service Type : stelnetAuthentication Type : password


[~PE1] display ssh server statistics----------------------------------Total connection accepted : 1Total connection denied by ACL : 2Total connection denied by CLI : 0Total connection denied by AAA : 3Total connection denied by Netconf : 1Total connection closed by CLI : 1Total connection closed by Netconf : 4Total connection closed by sock : 3



143

Total online connection : 5---------------------------------------

----End

Configuration Filesl Configuration file of CE1

# sysname CE1#rsa peer-public-key rsakey001public-key-code begin3067 0260 9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F 23AC8DE2 BDB58E1E D46856B5 419CAEDF 3A33DD40 278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437 D720D3D8 9A3F9DE5 4FE062DF F2DC443E 9092A0F4 970B8CC9 C8684678 CF0682F3 6301F5F3 0203 010001public-key-code endpeer-public-key end#stelnet server enablesftp server enablessh user client001ssh user client001 authentication-type passwordssh user client001 service-type stelnetssh user client002ssh user client002 assign rsa-key rsakey001ssh user client002 authentication-type rsassh user client002 sftp-directory cfcard:ssh user client002 service-type sftp#aaa local-user client001 password simple huawei local-user client001 service-type ssh # authentication-scheme default # authorization-scheme default # accounting-scheme default#interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.1.1 255.255.255.0#bgp 65410 peer 10.1.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.1.1.2 enable#user-interface vty 0 4 authentication-mode aaa protocol inbound ssh#adminreturn

l Configuration file of PE1# sysname PE1#ip vpn-instance vpn1



144

ipv4-family route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity#mpls lsr-id 1.1.1.9#mpls#mpls ldp#aaa # authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default#interface GigabitEthernet1/0/1 undo shutdown ip binding vpn-instance vpn1 ip address 10.1.1.2 255.255.255.0#interface Pos1/0/1 undo shutdown link-protocol ppp ip address 100.1.1.1 255.255.255.0 mpls mpls ldp#interface LoopBack1 ip address 1.1.1.9 255.255.255.255#interface NULL0#bgp 100 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 3.3.3.9 enable # ipv4-family vpnv4 policy vpn-target peer 3.3.3.9 enable # ipv4-family vpn-instance vpn1 import-route direct peer 10.1.1.1 as-number 65410#ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 100.1.1.0 0.0.0.255#ssh client first-time enable#adminreturn

l Configuration file of the P# sysname P#mpls lsr-id 2.2.2.9#



145

mpls#mpls ldp#aaa # authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default#interface Pos1/0/1 undo shutdown link-protocol ppp ip address 100.1.1.2 255.255.255.0 mpls mpls ldp#interface Pos1/0/2 undo shutdown link-protocol ppp ip address 200.1.1.1 255.255.255.0 mpls mpls ldp#interface LoopBack1 ip address 2.2.2.9 255.255.255.255#interface NULL0#ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 100.1.1.0 0.0.0.255 network 200.1.1.0 0.0.0.255#adminreturn

l Configuration file of PE2# sysname PE2#ip vpn-instance vpn1 ipv4-family route-distinguisher 200:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity#mpls lsr-id 3.3.3.9#mpls#mpls ldp#interface GigabitEthernet1/0/1 undo shutdown ip binding vpn-instance vpn1 ip address 10.1.2.2 255.255.255.0#interface Pos1/0/1 undo shutdown link-protocol ppp ip address 200.1.1.2 255.255.255.0 mpls mpls ldp#



146

interface LoopBack1 ip address 3.3.3.9 255.255.255.255#bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.9 enable # ipv4-family vpn-instance vpn1 import-route direct peer 10.1.2.1 as-number 65420#ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 200.1.1.0 0.0.0.255#adminreturn

l Configuration file of CE2# sysname CE2#interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.2.1 255.255.255.0#bgp 65420 peer 10.1.2.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.1.2.2 enable#adminreturn



147

6 Using the Command Line Interface

About This Chapter

This chapter describes the command line interface that is used to maintain the device routinely.After users edit and configure a command line in a certain view, the system displays certaininformation or error prompts.

6.1 Overview of the Command Line InterfaceThe command line interface (CLI) is the common tool for running commands. You can configureand manage the router by using the CLI commands.

6.2 Establishing the Running Environment for the Command LineYou can set the running environment of the command line to an accustomed interface beforeusing the command line.

6.3 How to Use Command LinesThe command lines are used to configure and process the command view, editing function ofthe command line, command line template, displayed information and error information.

6.4 How to Obtain Command HelpWhen you enter command lines or configure services, command help offers real-time help inaddition to the configuration guide.

6.5 How to Use Shortcut KeysYou can use the system shortcut keys or user-defined shortcut keys to enter the correspondingcommands. This simplifies operations.

6.6 Configuration ExamplesThis section describes how to use command lines with configuration examples.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - Basic Configurations 6 Using the Command Line Interface


148

6.1 Overview of the Command Line InterfaceThe command line interface (CLI) is the common tool for running commands. You can configureand manage the router by using the CLI commands.

Command Line Interface

After you log in to the router, the displayed command line prompt indicates that you have enteredthe CLI. The CLI is an interface through which you can interact with the router.

You can enter the commands provided by the system through the CLI to configure and managethe router.

The CLI has the following features:

l Supports local configurations through the console interface.

l Supports local or remote configurations through Telnet or Secure Shell (SSH).

l Supports the customized management of various terminal users in the user interface view.

l Supports the command-based hierarchical protection that users of different levels can runonly the commands of corresponding levels.

l Supports the local, password, and AAA authentication modes to ensure system security bypreventing unauthorized users from invading the router.

l Supports the configuration that users can type in a question mark "?" to obtain online help.

l Provides network testing commands, such as the tracert and ping commands, for quicklydiagnosing network connectivity.

l Provides detailed debugging information of various types to help diagnose network faults.

l Supports the configuration of logging in to and managing other routers through thetelnet command.

l Provides the FTP service that facilitates the upload and download of files.

l Provides the DosKey-like function to run a historical command.

l Provides multiple intelligent command resolution methods through the command lineinterpreter, such as partial match and context-sensitive, which facilitates the entry of users.

NOTE

l The system supports the command with a maximum of 1024 characters including incomplete form.

l If a command in an incomplete form is run, the system saves the command to the configuration file asa command in a complete form, which may cause the command to have more than 1024 characters. Inthis case, the command in an incomplete form cannot be restored after the system restarts. So, payattention to the length of the command in an incomplete form.

6.2 Establishing the Running Environment for theCommand Line

You can set the running environment of the command line to an accustomed interface beforeusing the command line.



149

Applicable EnvironmentBefore using the command line to configure services, you can establish the basic runningenvironment for the command line to meet the requirements of the actual environment.

Pre-configuration TasksBefore establishing the running environment for the command line, complete the followingtasks:

l Installing the router and powering it on properlyl Logging in to the router as a client

Configuration ProceduresTo establish the running environment for the command line, perform the following procedures.

6.2.1 Configuring the Login AlertWhen you access the router, a prompt is displayed. You can set the content of the prompt as youlike.

ContextThe login alert refers to the prompt that is displayed at the time after you access the router orafter you pass the authentication and before you start to exchange configurations with the system.The login alert is configured to provide explicit indication for your login.

Procedure



Step 2 Run:header login { information text | file file-name }

The alert displayed during the login is configured.

Step 3 Run:header shell { information text | file file-name }

The alert displayed after the login is configured.

Step 4 Run:commit


----End

6.2.2 Setting a Device NameThe name of a device is displayed in the command prompt. You can modify the name of a deviceas required.



150

Procedure



Step 2 Run:sysname host-name

The name of the device is set.

Step 3 Run:commit


----End

6.2.3 Configuring Command LevelsThis section describes how to configure command levels to ensure device security or allow low-level users to run high-level commands. By default, commands are registered in the sequenceof Level 0 to Level 3. If refined rights management is required, you can divide commands in to16 levels, that is, from Level 0 to Level 15.

ContextIf the user does not adjust a command level separately, after the command level is updated, alloriginally-registered command lines adjust automatically according to the following rules:

l The commands of Level 0 and Level 1 remain unchanged.l The commands of Level 2 are updated to Level 10 and the commands of Level 3 are updated

to Level 15.l No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust

the command lines to these levels separately to refine the management of privilege.

CAUTIONChanging the default level of a command is not recommended. If the default level of a commandis changed, some users may be unable to use the command any longer.

Procedure



Step 2 Run:command-privilege level rearrange

Update the command level in batches.



151

When no password is configured for a Level 15 user, the system prompts the user to set a super-password for the level 15 user. At the same time, the system asks if the user wants to continuewith the update of command line level. Then, just select "N" to set a password. If you select "Y",the command level can be updated in batches directly. This results in the user not logging inthrough the Console port and failing to update the level.

Step 3 Run:command-privilege level level view view-name command-key

All commands have default command views and levels. You do not need to reconfigure them.

----End

6.2.4 Lock the User InterfaceIn order to prevent unauthorized user access to the interface, you can lock the current userinterface.

Procedure

Step 1 Run:lock

The current user interface is locked.

The user interface can be the console interface and VTY interface.

After running the lock command, you need to enter a password twice as prompted to activatethe screen save mode. When entering the same password twice, you successfully lock the currentuser interface.

After the system is locked, if you attempt to log in to the system, press Enter and then input thecorrect password as prompted. In this manner, you can unlock the user interface and log in tothe system.

You cannot log in to the system if forgetting the password. In this case, you must retrieve thepassword from the administrator or reconfigure a password.

----End

6.3 How to Use Command LinesThe command lines are used to configure and process the command view, editing function ofthe command line, command line template, displayed information and error information.

Applicable EnvironmentBefore configuring services through command lines, you need to understand the basic operationsof command lines.

Pre-configuration TasksBefore using command lines, complete the following tasks:

l Installing the router and powering it on properly



152

l Logging in to the router as a client.


To use command lines, perform the following procedures as required.

6.3.1 Entering a Command ViewThe CLI has multiple command views. All the commands are registered in one or more commandviews. In general, you can run a command only after enter its command view.

# Set up a connection with the router. If the default configuration is adopted on the router, enterthe user view. The prompt on the screen is displayed as follows:

<HUAWEI>

# Enter system-view and press Enter to enter the system view.

<HUAWEI> system-view[~HUAWEI]

l # Enter aaa in the system view to enter the AAA view.[~HUAWEI] aaa[~HUAWEI-aaa]

l # Enter diagnose in the system view to enter the diagnose view.<HUAWEI> system-view[~HUAWEI] diagnose[~HUAWEI-diagnose]

NOTE

The command line prompt "HUAWEI" is the default host name , and it can be specified by the sysnamecommand. The current view can be determined according to the prompt. For example, "<>" indicates theuser view; "[]" indicates any view except the user view.

You can run the quit command to quit the current view and enter a view of a lower level. If thecurrent view is the user view, the system can be existed.

You can run the return command to quit the current view and enter the user view. If the currentview is the user view, the user view is still displayed.

Certain commands that can be run in the system view can also be run in other views. The functionthat can be realized through a command, however, is determined by the command view wherethe command is run. For example, the mpls command is run to enable MPLS. If the mplscommand is run in the system view, it indicates that MPLS is enabled globally; if the mplscommand is run in the interface view, it indicates that MPLS is enabled on the correspondinginterface.

6.3.2 Editing Command LinesThe editing function of command lines enables you to edit command lines or obtain help throughcertain keys.

The CLI on the NE5000E provides the basic editing function of command lines and supportsmulti-line editing. Each command can contain up to 1024 characters.

The common editing functions are described in Table 6-1.



153

Table 6-1 List of editing functions

Key Function

Common key Presses the key to insert a character in the place of the cursor andmoves the cursor to the right if the editing buffer is not fullyoccupied.

BackSpace Deletes a character before the cursor and moves the cursor to theleft. If the cursor reaches the head of the command, the systemdoes not make any response.

Up cursor key↑ orCtrl_P

Access the last historical command. Display the last historicalcommand if there is an earlier historical command.

Down cursor key ↓ orCtrl_N

Access the next historical command. Display the next historicalcommand if there is a later historical command. Otherwise, thecommand is cleared.

Tab Presses Tab after entering an incomplete keyword and thesystem runs the partial help.l If the keyword matching the entered one is unique, the system

replaces the entered one with the complete keyword anddisplays it in a new line with the cursor a space behind.

l If there are several matches or no match at all, the systemdisplays the prefix first. You can press Tab to switch fromone matched keyword to another. In this case, the cursorclosely follows the end of a word and you can press thespacebar and enter the next word.

l If an incorrect keyword is entered, press Tab and it isdisplayed in a new line without being changed.

NOTE

On the HyperTerminal of Windows 9X, cursor key ↑ is invalid as the HyperTerminals of Windows 9Xdefine the keys differently. In this case, you can replace the cursor key ↑ with Ctrl_P.

Follow-up Procedure

A device automatically saves the typed historical command that is a piece of keyboard entryending with Enter or "?".The display history-command command displays commands thatwere run recently and help you to search information.

6.3.3 Checking the ConfigurationAfter completing a set of configurations, you can run the following command to check theprevious configuration.

Context

The basic configuration is complete.



154

Procedurel Run:

display current-configuration [ configuration [ configuration-type [ configuration-instance ] ] | interface interface-type [ interface-number ] ]

The current configuration is displayed.

l Run:display this

The configurations of the system in the current view is displayed.

The effective parameters the same as the default parameters are not displayed. The setparameters that do not take effect are neither displayed.

----End

6.3.4 Checking the Diagnostic InformationWhen a fault occurs in the system, if it is difficult to determine the module that causes the fault,you can use this command to collect diagnostics information for locating the fault.

Procedure

Step 1 Run:display diagnostic-information [ file-name ]

The diagnostic information about the current system is displayed.

By default, the file path is cfcard:, and the extension of the file is .txt.

The display diagnostic-information command combines the functions of multiple commondisplay commands, such as the display clock, display version, and display current-configuration commands. Running this command equals to the running of these displaycommands.

----End

6.3.5 Display Mode of Command LinesAll the commands share the same display feature. You can flexibly specify the display mode asrequired.

Display Feature

When the information cannot be completely displayed on one screen, you can adopt the pausefunction. You have three choices as listed in Table 6-2.

Table 6-2 List of display functions

Key Function

Ctrl+C Stops displaying information and runningcommands.



155

Key Function

Space Continues to display the information on the nextscreen.

Enter Continues to display the information in the nextline.

Regular Expression

The regular expression describes a pattern that matches a set of character strings. It consists ofcommon characters (such as characters a to z) and special characters (or called metacharacters).The regular expression functions as a template to match a character pattern with the searchedcharacter string.

The regular expression features the following functions:

l Checks and obtains the sub-character string that matches a certain rule in the characterstring.

l Replaces the character string according to the matching rule.

The regular expression consists of common characters and special characters.

l Common character

Common characters match common characters in the character string, including all theuppercase letters, lowercase letters, numbers, punctuation marks, and special symbols. Forexample, "a" matches "a" in "abc"; "202" matches "202" in "202.113.25.155"; "@" matches"@" in "[email protected]".

l Special character

Special characters, together with common characters, match complicated or specialcharacter strings. For example, "^10" matches "10.10.10.1" instead of "20.10.10.1".

Table 6-3 describes special characters and their syntax.

Table 6-3 Description of special characters

specialcharacter

Syntax Example

\ Defines an escape character, whichis used to mark the next character(common or special) as the commoncharacter.

\* matches "*".

^ Matches the starting position of thestring.

^10 matches "10.10.10.1" instead of"20.10.10.1".

$ Matches the ending position of thestring.

1$ matches "10.10.10.1" instead of"10.10.10.2".



156

specialcharacter

Syntax Example

* Matches the preceding element zeroor more times.

10* matches "1", "10", "100", and"1000".(10)* matches "null", "10", "1010",and "101010".

+ Matches the preceding element oneor more times

10+ matches "10", "100", and"1000".(10)+ matches "10", "1010", and"101010".

? Matches the preceding element zeroor one time.

10? matches "1" and "10".(10)? matches "null" and "10".

. Matches any single character. 0.0 matches "0x0" and "020"..oo matches "book", "look", and"tool".

() Defines a subexpression, which canbe null. Both the expression and thesubexpression should be matched.

100(200)+ matches "100200" and"100200200".

x|y Matches x or y. 100|200 matches "100" or "200".1(2|3)4 matches "124" or "134",instead of "1234", "14", "1224", and"1334".

[xyz] Matches any single character in theregular expression.

[123] matches the character 2 in"255".

[^xyz] Matches any character that is notcontained within the brackets.

[^123] matches any character exceptfor "1", "2", and "3".

[a-z] Matches any character within thespecified range.

[0-9] matches any character rangingfrom 0 to 9.

[^a-z] Matches any character beyond thespecified range.

[^0-9] matches all non-numericcharacters.

_ Matches a comma "," left brace "{",right brace "}", left parenthesis "(",and right parenthesis ")".Matches the starting position of theinput string.Matches the ending position of theinput string.Matches a space.

_2008_ matches "2008", "space2008 space", "space 2008", "2008space", ",2008,", "{2008}","(2008)", "{2008", and "(2008}".



157

NOTE

Unless otherwise specified, all characters in the preceding table are displayed on the screen.

l Degeneration of special charactersCertain special characters, when being placed at the following positions in the regularexpression, degenerate to common characters.

– The special characters following "\" is transferred to match special charactersthemselves.

– The special characters "*", "+", and "?" placed at the starting position of the regularexpression. For example, +45 matches "+45" and abc(*def) matches "abc*def".

– The special character "^" placed at any position except for the start of the regularexpression. For example, abc^ matches "abc^".

– The special character "$" placed at any position except for the end of the regularexpression. For example, 12$2 matches "12$2".

– The right bracket such as ")" or "]" being not paired with its corresponding left bracket"(" or "[". For example, abc) matches "abc)" and 0-9] matches "0-9]".

NOTE

Unless otherwise specified, degeneration rules are applicable when preceding regular expressionsserve as subexpressions within parentheses.

l Combination of common characters and special charactersIn actual application, multiple common characters and special characters instead of onecommon character and one special character are often combined to match a special characterstring.

The NE5000E supports the following filtering modes based on regular expressions.

For the commands supporting the regular expression, you can choose one of the followingfiltering modes:

l | begin regular-expressionOutputs all the lines following the line that matches the regular expression. That is, thesystem displays both the line that contains the specified character string (case sensitive)and all the following lines to the terminal.

l | exclude regular-expressionOutputs all the lines that do not match the regular expression. That is, the system displaysonly the lines that do not contain the specified character string (case sensitive) to a terminal.If no line matches the rule, the output is null.

l | include regular-expressionOutputs only the lines that match the regular expression. That is, the system displays onlythe lines that contain the specified character string (case sensitive) to a terminal. If no linematches the rule, the output is null.

When you run the display command with filtering rules set to query configurations, note thefollowing:

l The first line in the output begins with the entire line contains the specified character stringrather beings with the specified character string.

l For some functions, though you have configured them but the configurations do not takeeffect, the output of the display command is null.



158

The NE5000E supports the redirection of the output of the display command to a specified file.There are two redirection modes:

l > filenameThe output of the display command is redirected to a specified file. If the file already exists,the content of the file is overwritten.

l >> filenameThe output of the display command is appended to a specified file, with the original contentof the file unchanged.

6.3.6 Error Information in Command LinesIf an entered command passes the validation check, the command is executed correctly.Otherwise, the system prompts error information.

Common error information is shown in Table 6-4.

Table 6-4 Common error information in command lines

Error Information Cause

Unrecognized command Indicates that no command is found.

Indicates that no keyword is found.

Wrong parameter Indicates that the parameter type is incorrect.

Indicates that the parameter value exceeds the limit.

Incomplete command Indicates that the input command is incomplete.

Too many parameters Indicates that the input parameters are excessive.

Ambiguous command Indicates that the input command is ambiguous.

6.4 How to Obtain Command HelpWhen you enter command lines or configure services, command help offers real-time help inaddition to the configuration guide.

The CLI on the NE5000E provides the following online help.

Full HelpYou can obtain full help in any of the following methods:

l Enter a "?" in any command view to obtain all the commands and their simple descriptions.<HUAWEI> ?

l Enter a command followed by a space and a "?". If the position of "?" is for a keyword, allthe keywords and their brief description are listed. Take the following command output asan example:<HUAWEI> terminal ? debugging Debug information to terminal logging Log information to terminal



159

The words "debugging" and "logging" are keywords, while "Debug information toterminal" and "Log information to terminal" are their descriptions.

l Enter a command followed by a space and a "?". If the position of "?" is for a parameter,the value range and function of the parameter are listed. Take the following commandoutput as an example:[~HUAWEI] ftp timeout ? INTEGER<1-35791> The value of FTP timeout (in minutes)[~HUAWEI] ftp timeout 35 ?<cr>

In the command output, "INTEGER<1-35791>" indicates the value range, and "The valueof FTP timeout (in minutes)" is the brief description of the parameter function. "<cr>"indicates that no parameter is in the position. In this case, press Enter to run the command.

Partial Help

You can obtain partial help in any of the following methods:

l Enter a string followed by a "?", and then the system lists all the keywords that start withthe string.<HUAWEI> d?

debugging delete dir display

l Enter a command followed by a "?" if there are several matches for the keyword. Then, allthe keywords start with the string are listed.<HUAWEI> display c?

car clock configuration control-flap cpu-defend cpu-monitor cpu-usage current-configuration

l Enter the initial letters of a keyword in a command line and press Tab. Then, the completekeyword is displayed. If there are several matches for the keyword, you can press Tabrepeatedly. Then, various keywords are displayed, and you can choose the one you need.

6.5 How to Use Shortcut KeysYou can use the system shortcut keys or user-defined shortcut keys to enter the correspondingcommands. This simplifies operations.


When configuring services through command lines, you can define shortcut keys to rapidly enterthe frequently-used commands.


Before using shortcut keys, complete the following tasks:

l Installing the router and powering it on properly

l Logging in to the router as a client



160

Configuration ProceduresTo use shortcut keys, perform the following procedures.

Related Tasks6.6.1 Example for Using Tab6.6.2 Example for Defining Shortcut Keys

6.5.1 Classification of Shortcut KeysShortcut keys consist of user-defined shortcut keys and system shortcut keys. Afterunderstanding the classification of shortcut keys, you can use shortcut keys quickly andaccurately.

Shortcut keys in the system are classified into two groups:

l You can define five shortcut keys: Ctrl+G, Ctrl+L, Ctrl+O, Ctrl+T and Ctrl+U. Youcan associate each shortcut key with any command. When you use a shortcut key, the systemautomatically runs the corresponding command. For details, see 6.5.2 Defining ShortcutKeys.

l System shortcut keys are fixed. They provide fixed functions and cannot be defined byusers. The main system shortcut keys are listed in Table 6-5.

NOTE

Different terminal software defines shortcut keys differently. Therefore, the shortcut keys on a terminalmay be different from those listed in this section.

Table 6-5 System shortcut keys

Key Function

Ctrl+C Stops the running function.

Ctrl+K Closes the connections for outgoing calls.

Ctrl+N Displays the next command in the historycommand buffer.

Ctrl+P Displays the previous command in the historycommand buffer.

Ctrl+Z Returns to the user view.

Ctrl+] Closes the connections for incoming calls orredirects the connection.

6.5.2 Defining Shortcut KeysOnly users of the management level have the right to define shortcut keys.



161

Procedure



Step 2 Run:hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_T | CTRL_U } command-text

The shortcut keys are defined.

The default values of the shortcut keys Ctrl+G, Ctrl+L, and Ctrl+O are as follows:

l Ctrl+G: corresponds to the display current-configuration command.l Ctrl+L: corresponds to the display ip routing-table command.l Ctrl+O: corresponds to the undo debugging all command.

The default values of the other shortcut keys are null.

Step 3 Run:commit


----End

6.5.3 Displaying Shortcut Keys and Their FunctionsYou can use shortcut keys at any position where a command can be entered. After you useshortcut keys, the system displays the corresponding command on the screen. The result is thesame as that of entering a complete command.

Context

If you enter an incomplete command and do not press Enter, the entered characters are clearedand the corresponding command is displayed on the screen if you use shortcut keys at this time.The result is the same as that of entering a complete command.

Like the use of commands, the use of shortcut keys also makes the system record the originalcommand in the command buffer and logs for further fault detection and query.

Procedure

Step 1 Run:display hotkey

The shortcut keys supported by the system and their functions are displayed.

NOTE

The function of shortcut keys may be affected by the terminal in use. For example, when the user-definedshortcut keys conflict with the system shortcut keys on the router, the shortcut keys are to be interceptedby the terminal programs if entered and the corresponding command line cannot be run.

----End



162

6.6 Configuration ExamplesThis section describes how to use command lines with configuration examples.

6.6.1 Example for Using TabYou can press Tab to make the system prompt the associated keywords or check whether thekeywords are correct.

Networking RequirementsAny router on the network is required.

Configuration NotesNone.


1. If there is only one match for the incomplete keyword, enter the incomplete keyword andpress Tab.

2. If there are several matches for the keyword, enter the incomplete keyword and pressTab repeatedly until the desired keyword is detected.

3. Enter the incorrect keyword and press Tab. In this case, the incorrect keyword remainsunchanged.

Data PreparationNone.

The use of Tab is described as follows:

If There Is Only One Match for an Incomplete keyword1. Enter an incomplete keyword.

[~HUAWEI] ip rout2. Press Tab.

The system replaces the entered keywords with the complete keywords followed by a space.[~HUAWEI] ip route-static

If There Are Several Matches for an Incomplete keyword# The keyword ip route-static can be followed by the following keywords:

[~HUAWEI] ip route-static ? X.X.X.X Destination IP address bfd BFD configuration information default-bfd Default BFD parameter default-preference Preference-value for IPv4 static-routes frr Fast Reroute



163

selection-rule Selection rule topology Specify topology information vpn-instance VPN-Instance route information

1. Enter an incomplete keyword.[~HUAWEI] ip route-static d

2. Press Tab.The system first displays the prefixes of all the matched keywords. In this example, theprefix is "default".[~HUAWEI] ip route-static default-

Press Tab to switch from one matched keyword to another. In this case, the cursor closelyfollows the end of a word.[~HUAWEI] ip route-static default-bfd[~HUAWEI] ip route-static default-preference

Stop pressing Tab when the desired keyword is detected.3. Enter the next word 10.

[~HUAWEI] ip route-static default-preference 10

Pressing Tab After an Incorrect keyword Is Entered1. Enter an incorrect keyword.

[~HUAWEI] ip route-static default-pe

2. Press Tab.The system displays the output in a new line. The entered keyword remains unchanged.[~HUAWEI] ip route-static default-pe

Configuration FilesNone.

Related Tasks6.5 How to Use Shortcut Keys

6.6.2 Example for Defining Shortcut KeysIf shortcut keys are defined on the router, all users can use the shortcut keys regardless of theuser levels.

Networking RequirementsAny router on the network is required.

Configuration NotesIf a user does not have the right to execute the command associated with a defined shortcut key,the system makes no response when the user presses this shortcut key.




164

1. Define the keyword Ctrl+U and associate it with the display ip routing-table command.2. Press Ctrl+U at the prompt of [~HUAWEI].

Data PreparationTo define shortcut keys, you need the following data.

l Names of shortcut keysl Names of the commands that are to be associated with shortcut keys

Procedure

Step 1 Define the shortcut key Ctrl+U, associate it with the display ip routing-table command, andrun it.<HUAWEI> system-view[~HUAWEI] hotkey ctrl_u display ip routing-table

Step 2 Press Ctrl+U at the prompt of [~HUAWEI].[~HUAWEI] display ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Routes : 8Destination/Mask Proto Pre Cost Flags NextHop Interface 51.51.51.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.2.0.0/16 Direct 0 0 D 100.2.150.51 GigabitEthernet0/0/0 100.2.150.51/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.2.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

----End

Configuration FilesNone.

Related Tasks6.5 How to Use Shortcut Keys



165

7 Device Upgrade

About This Chapter

7.1 Overview of Device Upgrade

7.2 Upgrade Modes Supported by the NE5000E

HUAWEI NetEngine5000E Core RouterConfiguration Guide - Basic Configurations 7 Device Upgrade


166

7.1 Overview of Device UpgradeA device is upgraded when new features need to be added, existing performance needs to beoptimized, and existing problems in the current version need to be solved.

Application Scenario of Device UpgradeTo perform the following actions, you need to upgrade the NE5000E:

l Adding new featuresl Optimizing the existing performancel Solving existing problems in the current version

NoteBefore upgrading the NE5000E, pay attention to the following items:

l When upgrading the NE5000E at the site, prepare a spare part for each board.l Obtain the new system software, the Product Adaptive File (PAF) or license file, and the

corresponding documents of the new version from Huawei.l Back up configuration files, and collect and save service configurations.l Enable the log function to record all the operations during the upgrade process.l Check software versions of all modules on each board, including versions of the BootROM,

Firmware, and MonitorBus.

7.2 Upgrade Modes Supported by the NE5000EAt present, the NE5000E can be upgraded by using the command line, mobile storage device,or BootROM.

Upgrade by Using the Command LineThis mode is applicable for the following situations. For operation details, refer to the"NE5000E V800R002C01 Version Upgrade Instructions" of the corresponding systemsoftware version.

l The NE5000E works properly and uses FTP/TFTP for the upgrade. Other devices canperform remote login to the NE5000E.

l The NE5000E is upgraded for the first time and has been loaded with the system softwarepackage. Other devices can log in to the NE5000E through the serial interface to configurethe IP address.

Upgrade by Using a Mobile Storage Device ( CF card )Upgrading the NE5000E by using the CF card is mainly used during the engineering stage ortroubleshooting process. Before the upgrade, prepare two CF cards.

In this mode, the NE5000E is upgraded by replacing the CF card on the master and slave MPUwith CF cards containing the system software package. For operation details, refer to the



167

"NE5000E V800R002C01 Version Upgrade Instructions" of the corresponding systemsoftware version.

Upgrade by Using BootROMThis mode is applicable for the following situations. For operation details, refer to the"NE5000E V800R002C01 Version Upgrade Instructions" of the corresponding systemsoftware version:

l The NE5000E is upgraded for the first time, but the system software package of theNE5000E does not exist or is incorrect.

l After the NE5000E is upgraded and restarted, both the master and slave MPUs cannot beregistered.

l After the NE5000E is upgraded, the master MPU can be registered but the slave MPUscannot be registered.

l The MPU is replaced.l Other devices cannot log in to the NE5000E through Telnet.



168

8 Patch Installation

About This Chapter

8.1 Overview

8.2 Patch Installation Modes Supported by the NE5000E

HUAWEI NetEngine5000E Core RouterConfiguration Guide - Basic Configurations 8 Patch Installation


169

8.1 Overview

A patch can be installed on a device to improve device performance.

Patch Installation RequirementsDuring device operation, the system software may need to be modified to rectify system bugsor meet new function requirements. The traditional way is to upgrade system software afterpowering off the device. This, however, interrupts services and affects QoS. Loading a patchonto the system software allows the system software to be upgraded without interrupting serviceson the device. This also improves QoS.

PrecautionsNote the following points when loading a patch on the NE5000E:

l It is normal that the patch file is loaded to boards asynchronously.l When installing or uninstalling a patch, ensure that all boards that are in use on the device

have registered with the system. If any LPU on the device is starting during patchinstallation or uninstallation, patch installation or uninstallation probably fails on this LPU.Do not remove or reinstall boards or close the VTP interface during patch installation.

l If the patch contains subcard patches, patch installation may last longer. Wait for at least60 seconds after patch installation if you intend to delete the installed patch. This ensuresthat the same type of subcards on an LPU are in the same status.

l If the startup patch command has been used to specify the patch to be loaded at the nextstartup, run the patch-state run all command to activate the patch before restarting thedevice.

8.2 Patch Installation Modes Supported by the NE5000E

Currently, the NE5000E supports only patch installation using commands. For details on patchinstallation procedures, see the Patch Notes matching the software version.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - Basic Configurations 8 Patch Installation


170

9 Configuration Management

About This Chapter

To ensure reliable user configurations, the system provides two configuration validation modes.

ContextAs increasingly new types of services emerge, higher requirements are imposed on devices. Forexample, it is required that services take effect after being configured, invalid configurations bediscarded, and impact on the existing services be minimized.

To ensure reliable user configurations, the system allows two-phase configuration validation.In the first phase, the system performs syntax and semantics checks. In the second phase,configurations takes effect and are used for services.

9.1 Introduction to Configuration ManagementThe system supports two configuration validation modes, namely, immediate validation andtwo-phase validation. By default, the two-phase configuration validation mode takes effect.

9.2 Configuration Management Features that the NE5000E SupportsConfiguration management features allow users to lock, preview, and discard configurations,and to save the configuration file used at the current startup and the configuration file to beloaded at the next startup of the system.

9.3 Selecting a Configuration Validation ModeAccording to different reliability requirements, you can select either of two configurationvalidation modes, namely, immediate validation and two-phase validation.

9.4 Managing Configuration FilesYou can set the configuration file to be loaded at the next startup and save the configuration file.

9.5 Configuration ExamplesThis section provides an example for configuring a configuration management networking. Youcan understand the configuration procedures by referring to the configuration flowchart. Theconfiguration example provides information about the networking requirements, configurationnotes, and configuration roadmap.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - Basic Configurations 9 Configuration Management


171

9.1 Introduction to Configuration ManagementThe system supports two configuration validation modes, namely, immediate validation andtwo-phase validation. By default, the two-phase configuration validation mode takes effect.

l The immediate configuration validation mode is a traditional configuration validationmode.In this mode, the system-view immediately command is used to enter the system view.After a user enters a command line and presses Enter, the system performs the syntax check.The configuration takes effect as soon as it passes the syntax check.

l In the two-phase configuration validation mode, the system configuration process is dividedinto two phases:In this mode, the system-view command is used to enter the system view. In the first phase,a user enters a configuration command, and then the system performs syntax and semanticschecks on the candidate database. If an incorrect clause is found, the system displays amessage on the command line terminal, indicating the fault and the cause. After enteringa series of command lines to complete a configuration, you can run the commit commandto commit the configuration, and the system enters the second phase, that is, configurationcommit phase. In the second phase, the system delivers the configuration in the candidatedatabase to the corresponding service module. If the configuration takes effect, the systemadds it to the running database. If the same configuration is added, the system prompts amessage.

The following table lists advantages and disadvantages of the immediate configurationvalidation and two-phase configuration validation modes.

Configuration ValidationMode

Advantage Disadvantage

Immediate configurationvalidation mode

The configuration impact onservices can be detectedimmediately.

Incorrect configurations willimmediately affect services.In this case, you have todelete incorrectconfigurations one by onebecause deleting services as awhole is not allowed.



172

Two-phase configurationvalidation mode

l All configurations takeseffect at the same time.

l Configurations in thecandidate database can bepreviewed.

l When users find that aconfiguration in thecandidate database isincorrect or does not meettheir expectations, theycan immediately clear theconfigurations that havenot taken effect.

l The impacts of serviceconfigurations on currentservices can beminimized.

The commit command needsto be run to validateconfigurations.

9.2 Configuration Management Features that the NE5000ESupports

Configuration management features allow users to lock, preview, and discard configurations,and to save the configuration file used at the current startup and the configuration file to beloaded at the next startup of the system.

The NE5000E supports the following configuration management features:

l configuration in two-phase configuration validation model configuration in immediate configuration validation model manual configuration savingl automatic configuration savingl configuration clearancel specification of the configuration file to be loaded at the next startup

9.3 Selecting a Configuration Validation ModeAccording to different reliability requirements, you can select either of two configurationvalidation modes, namely, immediate validation and two-phase validation.

Deployment Scenario

Before configuring a service, you must enter a configuration view. After the configuration viewis displayed, the system initiates the corresponding configuration flow according to the setconfiguration validation mode. If configurations need to be validated immediately, you can usethe immediate configuration validation mode. If configurations need to be validated after beingconfigured, you can use the two-phase configuration validation mode.



173

Pre-configuration TasksBefore managing configuration files, complete the following tasks:

l Allowing the user to log in to the device and enter the user view.

Configuration ProceduresA user can select either the immediate configuration validation mode or the two-phaseconfiguration validation mode at a time.

Related Tasks9.5.1 Example for Configuring User Services in Immediate Configuration Validation Mode9.5.2 Example for Configuring Services When Configurations Have Been Locked by AnotherUser in Two-Phase Configuration Validation Mode9.5.3 Example for Multiple Users to Configure a Same Service in Two-Phase ConfigurationValidation Mode9.5.4 Example for Multiple Users to Configure a Service in Two-Phase Configuration ValidationMode9.5.5 Example for Configuring Different Services by Multiple Users in Two-PhaseConfiguration Validation Mode

9.3.1 Configuring Immediate Configuration Validation ModeTo validate configurations immediately after they are configured, enable the immediateconfiguration validation mode.

ContextBefore configuring a service, you must enter the system view. After the system view is displayed,the configuration validation mode can be specified. In immediate configuration validation mode,after a user enters a command line and presses Enter, the system performs the syntax check. Theconfiguration takes effect as soon as it passes the syntax check.

Procedure

Step 1 (Optional) Run:lock configuration

Configurations are locked in the user view.

To use the running database exclusively, lock configurations on the device to prevent other usersfrom configuring services and submitting configurations. Other users can configure services inthe running database only if you unlock configurations.



174

CAUTIONAfter locking configurations, you can edit and submit configurations. Other users can view andedit configurations but cannot submit configurations.They can configure services in the running database only if you unlock configurations.

Step 2 Run:system-view immediately

The immediate configuration validation mode is enabled.

NOTE

To prevent a service from being affected, you can lock the configuration of a service as soon as thecorresponding service process is initiated. When the configuration is being locked, configurations cannotbe submitted. The configuration of the service is keeping locked until the service process is successfullystarted. During this period, the configuration cannot be modified but can be queried.

If the configuration fails to be submitted, waiting for 30 seconds and submitting configuration again arerecommended. If configuration submit fails again, it indicates that the configuration is locked by a user.

In the immediate validation mode, the command prompt is as follows:<HUAWEI> system-view immediately[HUAWEI]

Step 3 (Optional) If a configuration has been locked, run:

1. quit

The user view is displayed.2. undo lock configuration

The configuration is unlocked.

CAUTIONAfter locking a configuration, you must unlock it after completing the configuration. Otherwise,configurations of other users cannot take effect.

----End

9.3.2 Configuring Two-Phase Configuration Validation ModeIf you need to validate configurations after the configurations are complete, you can use the two-phase configuration validation mode.

Context

The two-phase configuration validation mode enhances security and reliability of configurationsand minimizes the impact of configurations on services. If the configuration of a service thathas taken effect does not meet expectations, the system can roll back to the status before theconfiguration is committed. Figure 9-1 shows the procedures in two-phase configurationvalidation mode.



175

Figure 9-1 Flowchart of configuration commit

Set the two-phase validation mode and edit the configuration

Discard the uncommitted configuration

Commit the configuration

Preview the configuration

M andatory procedure

O ptional procedure

Lock the configuration

Unlock the configuration

Procedure

Step 1 (Optional) Run:lock configuration

Configurations are locked in the user view.

To use the running database exclusively, lock configurations on the device to prevent other usersfrom configuring services and submitting configurations. Other users can configure services inthe running database only if you unlock configurations.

CAUTIONAfter locking configurations, you can edit and commit configurations. Other users can view andedit configurations but cannot commit configurations.They can configure services in the running database only if you unlock configurations.


The two-phase configuration validation Mode is set and configurations can be edited.



176

NOTE

In the two-phase validation mode, the command prompt is as follows:<HUAWEI> system-view[~HUAWEI]

Step 3 (Optional) Run:preview all configuration

Configurations in the candidate database can be previewed, including uncommitted andcommitted ones.

Before committing configurations, you can continue editing uncommitted configurations.

Step 4 (Optional) Run:clear candidate-configuration

All configurations that are not committed are cleared.

If you do not need to validate uncommitted configurations, you can discard them.

Step 5 Run:commit


NOTE

To prevent a service from being affected, you can lock the configuration of a service as soon as thecorresponding service process is initiated. When the configuration is being locked, configurations cannotbe committed. The configuration of the service is keeping locked until the service process is successfullystarted. During this period, the configuration cannot be committed but can be queried.

If the configuration fails to be committed, waiting for 30 seconds and committing configuration again arerecommended. If configuration commit fails again, it indicates that the configuration is locked by a user.

Step 6 (Optional) If a configuration has been locked, run:

1. quit

The user view is displayed.

2. undo lock configuration

The configuration is unlocked.

CAUTIONAfter locking a configuration, you must unlock it after completing the configuration. Otherwise,configurations of other users cannot take effect.

----End

9.4 Managing Configuration FilesYou can set the configuration file to be loaded at the next startup and save the configuration file.



177


Current configurations are saved into the configuration file. After the system is restarted,configurations can be restored.


Before managing configuration files, complete the following tasks:

l Installing the router and powering it on properly.

l Configuring user accounts and log-in authentication mode

l Configuring reachable routes between the router and the terminal.

l Allowing a user to log in to the device


Choose one or more configuration tasks (excluding "Checking the Configuration") as needed.

Related Tasks9.5.6 Example for Managing Configuration Files

9.4.1 Saving ConfigurationsConfigurations can be saved in a configuration file either automatically or manually.

Context

To avoid configuration loss on the router due to power-off or abnormal reset, the system supportsautomatic or manual configuration saving.

To enable the system to automatically save configurations or to save configurations manually,perform the following steps on the router.

Procedurel Automatic configuration saving

1. Run the system-view command to enter the system view.

2. Run the set save-configuration [ interval interval | cpu-limit cpu-usage | delaydelay-interval ] * command to enable the system to automatically save configurations.

– The system automatically saves configurations when the set interval intervalexpires regardless of whether some configurations have changed during thisperiod. If interval is not specified, the system automatically saves configurationsevery 30 minutes.

– If the automatic configuration saving timer expires and the CPU usage of thesystem is detected to be higher than the set cpu-limit cpu-usage, the system cancelsthe current automatic configuration saving operation.

– If delay delay-interval is specified, the system waits a specified delay beforeautomatically saving configurations when configurations change.



178

After automatic configuration saving is configured, the system automatically savesconfigurations to the configuration file to be loaded at the next startup. The contentsin the configuration file change along with configuration changes.

l Manual configuration saving

Run the save command to save the current configuration.

The extension name of a configuration file must be .cfg or .zip.

----End

9.4.2 Comparing Configuration FilesYou can compare the current configuration file with the next startup configuration file or thespecified configuration file.

ContextNOTE

The compared filename extension of the configuration file must be .cfg or .zip.

Procedure

Step 1 Run:compare configuration [ configuration-file ]

The current configuration is compared with the configuration file for next startup or the specifiedconfiguration file.

The comparison begins with the first lines of configuration file.

When comparing differences between the configuration files, the system displays the contentsof the current configuration file and saved configuration file from the first different line. Bydefault, 150 characters are displayed for each configuration file. If the number of characters fromthe first different line to the end is less than 150, the contents after the first different line are alldisplayed.

In comparing the current configurations with the configuration file for next startup, if theconfiguration file for next startup is unavailable or its contents are null, the system prompts thatreading files fails.

----End

9.4.3 Specifying the System Configuration File to Be Loaded at theNext Startup

You can specify a required configuration file to be loaded at the next startup of the system.

Context

After the system is restarted, you can specify a configuration file to restore systemconfigurations.



179

Procedure

Step 1 Run:startup saved-configuration configuration-file

The configuration file to be used at the next startup is specified.

The extension of the configuration file name must be .db, .zip, or .cfg, and the file must be savedin the root directory of the storage device.

----End

9.4.4 Clearing the System Configuration File Loaded at the CurrentStartup

You can clear the configuration file that is loaded at the current startup of the system.

Context

The configuration file needs to be cleared in the following situations:

l The system software does not match the configuration file after the router is upgraded.

l The configuration file is destroyed or an incorrect configuration file is loaded.

Procedure

Step 1 Run:reset saved-configuration

The configuration file that is loaded at the current startup is cleared.

NOTE

Before clearing the configuration file of the router, the system compares the configuration file loaded atthe current startup with that to be loaded at the next startup of the system.

l If the two configuration files are consistent with each other, they are both cleared. At this time, theconfiguration file to be loaded at the next startup must be configured on the router. Otherwise, there isno configuration file on the device after the next startup.

l If the two configuration files are inconsistent with each other, the configuration file loaded at the currentstartup is cleared.

l If the configuration file loaded at the current startup of the router is empty, the system will notify usersthat the configuration file does not exist after the reset saved-configuration command is run.

WARNINGExercise caution when using this command, and you are recommended to use this commandunder the supervision of technical support personnel.

----End



180

9.4.5 Checking the ConfigurationYou can check the list of configuration file loaded at the current startup and the configurationfile to be loaded at the next startup, configuration information about configuration files, and theconfiguration file that is running currently.

PrerequisiteThe file for the next startup has been loaded..

Procedurel Run the display configuration configuration-file command to check configuration

information about a specified configuration file.l Run the display saved-configuration last command to check the configuration file loaded

at the current startup of the system.l Run the display saved-configuration command to check the configuration file to be loaded

at the next startup of the system.l Run the display startup command to check the names of system software, and the names

of the configuration file loaded at the current startup and the configuration file to be loadedat the next startup.

----End

Example# Display configuration information about specified configuration files.

<HUAWEI> display configuration vrpcfg.db#info-center loghost source LoopBack0info-center loghost 10.1.1.1info-center loghost 10.1.1.2#alarm suppression name hwBfdSessReachLimit cause-period 5 suppression name hwBfdSessReachLimit clear-period 15 alarm name hwBfdSessReachLimit severity Critical snmp target-host target-host1 mask name mask1 # mask name mask1 mask severity Minor mask severity Warning mask alarm-name PmThresholdAlarm#user-interface maximum-vty 15#efm enable#aaa local-user ftp password cipher 0E0`_:6&/NGQ=^Q`MAF4<1!! local-user ftp ftp-directory cfcard:/ local-user ftp service-type ftp#interface Ethernet3/0/1 description Don't Shutdown! It's Management Port! undo shutdown#interface LoopBack0 ip address 1.1.1.1 255.255.255.255#



181

user-interface con 0 set authentication password cipher OUM!K%F<+$[Q=^Q`MAF4<1!! history-command max-size 30#user-interface vty 0 14 user privilege level 3 idle-timeout 0 0#return

# Display the configuration file loaded at the current startup.

<HUAWEI> display saved-configuration last#aaa local-user ftp password cipher 0E0`_:6&/NGQ=^Q`MAF4<1!! local-user ftp ftp-directory cfcard:/ local-user ftp service-type ftp#interface Ethernet3/0/1 description Don't Shutdown! It's Management Port! undo shutdown#interface LoopBack0 ip address 1.1.1.1 255.255.255.255#user-interface con 0 set authentication password cipher OUM!K%F<+$[Q=^Q`MAF4<1!! history-command max-size 30#user-interface vty 0 14 user privilege level 3 idle-timeout 0 0#return

# Display the configuration file to be loaded at the next startup.

<HUAWEI> display saved-configuration#aaa local-user ftp password cipher 0E0`_:6&/NGQ=^Q`MAF4<1!! local-user ftp ftp-directory cfcard:/ local-user ftp service-type ftp#interface Ethernet3/0/1 description Don't Shutdown! It's Management Port! undo shutdown#user-interface con 0 set authentication password cipher OUM!K%F<+$[Q=^Q`MAF4<1!! history-command max-size 30#user-interface vty 0 14 user privilege level 3 idle-timeout 0 0#return

Display the names of system software, and the names of the configuration file loaded at thecurrent startup and the configuration file to be loaded at the next startup.

<HUAWEI> display startupMainBoard : Configured startup system software : VRPV800R002C00SPC001B003.rpg Startup system software : VRPV800R002C00SPC001B003.rpg Next startup system software : VRPV800R002C00SPC001B003.rpg Startup saved-configuration file : cfcard:/v1.cfg Next startup saved-configuration file : cfcard:/v2.cfg Startup paf file : default



182

Next startup paf file : default Startup patch package : NULL Next startup patch package : NULLSlaveBoard : Configured startup system software : VRPV800R002C00SPC001B003.rpg Startup system software : VRPV800R002C00SPC001B003.rpg Next startup system software : VRPV800R002C00SPC001B003.rpg Startup saved-configuration file : cfcard:/v1.cfg Next startup saved-configuration file : cfcard:/v2.cfg Startup paf file : default Next startup paf file : default Startup patch package : NULL Next startup patch package : NULL

9.5 Configuration ExamplesThis section provides an example for configuring a configuration management networking. Youcan understand the configuration procedures by referring to the configuration flowchart. Theconfiguration example provides information about the networking requirements, configurationnotes, and configuration roadmap.

9.5.1 Example for Configuring User Services in ImmediateConfiguration Validation Mode

This section describes how to configure user services on the router in immediate configurationvalidation mode.


CAUTIONFor the NE5000E, the interface is numbered as slot number/card number/interface number. Forthe NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interfacenumber. The slot number is chassis ID/slot ID.

As shown in Figure 9-2, a user logs in to the Router.

Figure 9-2 Networking of configuring services in immediate configuration validation mode

RouterIP

Network

User

To enable services to take effect immediately after they are configured, configure the servicesin immediate configuration validation mode.

After you enter a command line and presses Enter, the system performs the syntax check. Theconfiguration takes effect as soon as it passes the syntax check.



183


1. Choose the immediate configuration validation mode2. Configure a service.

Data PreparationInterface IP address

Procedure

Step 1 Choose the immediate configuration validation mode.<HUAWEI> system-view immediately

Step 2 Configure a service.

# Configure the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router.

[HUAWEI] interface GigabitEthernet 4/0/6[HUAWEI-GigabitEthernet4/0/6] ip address 12.1.1.1 24

----End

Configuration Files# sysname HUAWEI # interface GigabitEthernet4/0/6 undo shutdown ip address 12.1.1.1 255.255.255.0#

Related Tasks9.3 Selecting a Configuration Validation Mode

9.5.2 Example for Configuring Services When Configurations HaveBeen Locked by Another User in Two-Phase ConfigurationValidation Mode

This section provides an example for configuring services on the router after configurations onthe device are by another user.





184

As shown in Figure 9-3, user A and user B log in to the Router at the same time. After user Alocks configurations on the Router, user B attempts to configure services on the device.

Figure 9-3 Networking of configuring services when configurations have been locked byanother user in two-phase configuration validation mode

RouterIP

Network

UserA

UserB

To use the running database exclusively, lock configurations on the device to prevent other usersfrom configuring services and submitting configurations. When configurations are locked by auser and other users attempt to configure services, the system will notify them that configurationshave been locked. Other users can configure services in the running database only if the userunlocks configurations.


1. User A locks configurations.2. User B configures a service. The system will notify user B that the current configuration

fails because configurations have been locked by another user.


ProcedureStep 1 User A locks configurations.

<HUAWEI> lock configuration

Step 2 User B configures a service.<HUAWEI> system-view[~HUAWEI] interface GigabitEthernet 4/0/6[~HUAWEI-GigabitEthernet4/0/6] ip address 12.1.1.1 24[~HUAWEI-GigabitEthernet4/0/6] commitError: The configuration is locked by other user. [Session ID = 407]

----End

Configuration Files# sysname HUAWEI # interface GigabitEthernet4/0/6 undo shutdown#



185


9.5.3 Example for Multiple Users to Configure a Same Service inTwo-Phase Configuration Validation Mode

This section provides an example for multiple users to configure a same service on one routerin two-phase configuration validation mode.



As shown in Figure 9-4, user A and user B log in to the Router at the same time. After user Aconfigures a service on the Router, user B performs the same configuration for the service onthe device.

Figure 9-4 Networking of multiple users to configure a same service in two-phase configurationvalidation mode

RouterIP

Network

UserA

UserB

When user B submits the configuration that is the same as the configuration submitted by userA, the system will notify user B that the configuration conflicts with an existing configuration.


1. Allow user A and user B to configure a same service successively .2. User A submits the configuration.3. User B submits the configuration.




186

Procedure

Step 1 Allow user A and user B to configure a same service successively.l User A configures the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router.

<HUAWEI> system-view[~HUAWEI] interface GigabitEthernet 4/0/6[~HUAWEI-GigabitEthernet4/0/6] ip address 12.1.1.1 24

l User B configures the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router.<HUAWEI> system-view[~HUAWEI] interface GigabitEthernet 4/0/6[~HUAWEI-GigabitEthernet4/0/6] ip address 12.1.1.1 24

Step 2 User A submits the configuration.[~HUAWEI-GigabitEthernet4/0/6] commit

Step 3 User B submits the configuration.

The system prompts user B that the configuration of user B conflicts with that of user A.

[~HUAWEI-GigabitEthernet4/0/6] commitip address 12.1.1.1 24Error: The address already exists.

Commit canceled, the configuration conflicted with other user, you can modify the configuration and commit again.

----End



9.5.4 Example for Multiple Users to Configure a Service in Two-Phase Configuration Validation Mode

This section provides an example for multiple users to configure a service on one router.





187

As shown in Figure 9-5, user A and user B log in to the Router at the same time. After user Aconfigures a service on the Router, user B configures the service on the device. For example,users A and B both configure different IP addresses on the same interface.

Figure 9-5 Networking of multiple users to configure a service in two-phase configurationvalidation mode

RouterIP

Network

UserA

UserB

When user B submits the configuration, it will overwrite the configuration submitted by user A.


1. Configure a service as user A and user B.2. Submit the configuration of user A.3. Submit the configuration of user B.

Data PreparationDifferent interface IP addresses

Procedure

Step 1 Configure a service as user A and user B.l Configure the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router as user A.


l Configure the IP address of GigabitEthernet 4/0/6 to be 12.1.1.2 on the router as user B.<HUAWEI> system-view[~HUAWEI] interface GigabitEthernet 4/0/6[~HUAWEI-GigabitEthernet4/0/6] ip address 12.1.1.2 24

Step 2 Submit the configuration of user A.[~HUAWEI-GigabitEthernet4/0/6] commit

Step 3 Submit the configuration of user B.[~HUAWEI-GigabitEthernet4/0/6] commit

The following information indicates that the configuration of user B overwrites the configurationsubmitted by user A.

[~HUAWEI-GigabitEthernet4/0/6] display this#



188

interface GigabitEthernet4/0/6 undo shutdown ip address 12.1.1.2 255.255.255.0return

----End



9.5.5 Example for Configuring Different Services by Multiple Usersin Two-Phase Configuration Validation Mode

This section provides an example for configuring different services on one router.



As shown in Figure 9-6, user A and user B log in to the Router at the same time. User A anduser B configure different services on the Router.

Figure 9-6 Networking of configuring different services by multiple users in two-phaseconfiguration validation mode

RouterIP

Network

UserA

UserB

If user A and user B submit two configurations of different services, both configurations takeeffect.



189



1. Allow user A and user B to configure different services.2. User A submits the configuration.3. User B submits the configuration.

Data Preparation

Interface IP address

Procedure

Step 1 Allow user A and user B to configure different services.l User A configures the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router.


l User B enables the FTP service.<HUAWEI> system-view[~HUAWEI] ftp server enable

Step 2 User A submits the configuration.[~HUAWEI-GigabitEthernet4/0/6] commit

Step 3 User B submits the configuration.[~HUAWEI-GigabitEthernet4/0/6] commit

After user B commits configurations, the system adds new configurations on the basis of originalconfigurations.

<HUAWEI> display current-configuration# ftp server enable#interface GigabitEthernet4/0/6 undo shutdown ip address 12.1.1.1 255.255.255.0

----End

Configuration Files# sysname HUAWEI#interface GigabitEthernet4/0/6 undo shutdown ip address 12.1.1.1 255.255.255.0# ftp server enable#return




190

9.5.6 Example for Managing Configuration FilesThis example shows you how to save configurations and set the configuration file to be loadedat the next startup.



As shown in Figure 9-7, a user logs in to the Router.

Figure 9-7 Managing Configuration Files

RouterIP

Network

User

PrecautionsNone.


1. Change configurations.2. Save configurations in a configuration file.3. Specify the configuration file to be loaded at the next startup.4. After system upgrade, compare the current running configuration with that defined in the

configuration file loaded at system startup to check whether configurations are lost.

Data PreparationNone.

Procedure

Step 1 Change configurations.

For example, enable the FTP service.

<HUAWEI> system-view



191

[~HUAWEI] ftp server enable[~HUAWEI] commit[~HUAWEI] quit

Step 2 Save configurations to the file vrpcfg.cfg.<HUAWEI> save vrpcfg.cfgWarning: Are you sure to save the configuration to vrpcfg.cfg? [Y/N]: yNow saving the current configuration to the device.Save the configuration successfully.

Step 3 Specify the configuration file to be loaded at the next startup.<HUAWEI> startup saved-configuration vrpcfg.cfg

Step 4 After system upgrade, compare the current running configuration with that defined in theconfiguration file loaded at system startup to check whether configurations are lost.<HUAWEI> compare configurationThe current configuration is the same as the next startup configuration file.

----End

Configuration Files# sysname HUAWEI # ftp server enable

Related Tasks9.4 Managing Configuration Files



192

10 File System Management

About This Chapter

The file system can help you manage files and directories on a storage device.

10.1 File System OverviewThe file system helps you manage files and directories on a storage device so that you can view,create, rename, or delete a directory, or copy, move, rename, or delete a file.

10.2 File System Supported by the NE5000EThe NE5000E supports the file system, including storage devices, directories, and files.

10.3 Managing the DirectoryYou can manage directories to logically store files in hierarchy.

10.4 Managing FilesYou can log in to the file system to view, delete, or rename the files on the router.

10.5 Configuration ExamplesThis section provides examples for using the file system. Each configuration example consistsof the networking requirements, configuration notes, configuration roadmap, configurationprocedures, and configuration files.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - Basic Configurations 10 File System Management


193

10.1 File System OverviewThe file system helps you manage files and directories on a storage device so that you can view,create, rename, or delete a directory, or copy, move, rename, or delete a file.

10.2 File System Supported by the NE5000EThe NE5000E supports the file system, including storage devices, directories, and files.

Storage DevicesStorage devices are hardware devices for storing messages.

At present, the router supports the storage devices such as flash memory, and compact flash (CF)card.

DirectoriesThe directory is a mechanism with which the system integrates and organizes the file, servingas a logical container of the file.

FilesThe file is a mechanism with which the system stores and manages messages.

10.3 Managing the DirectoryYou can manage directories to logically store files in hierarchy.

ContextYou can manage directories by changing and displaying directories, displaying files indirectories and sub-directories, and creating and deleting directories.

Procedurel Run:

cd directory

A directory is specified.l Run:

pwd

The current directory is displayed.l Run:

dir [ /all ] [ filename ]

The file and sub-directory list in the directory is displayed.

Either the absolute path or relative path is applicable.



194

l Run:mkdir directory

The directory is created.l Run:

rename source-filename destination-filename

The directory is renamed.l Run:

rmdir directory

The directory is deleted.

----End

Related Tasks10.5.1 Example for Managing a Directory

10.4 Managing FilesYou can log in to the file system to view, delete, or rename the files on the router.

Contextl Managing files include: displaying contents, copying, moving, renaming, compressing,

deleting, undeleting, deleting files in the recycle bin, running files in batch and configuringprompt modes.

l You can run the cd directory command to enter the required directory from the currentdirectory.

Procedurel Run:

more filename

The content of the file is displayed.l Run:

copy source-filename destination-filename

The file is copied.

NOTE

The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.

l Run:move source-filename destination-filename

The file is moved.l Run:

rename source-filename destination-filename

The file is renamed.l Run:

zip source-filename destination-filename



195

The file is compressed.l Run:

delete [ /unreserved ] filename

The file is deleted.

If you use the parameter [ /unreserved ] in the delete command, the file cannot be restoredafter being deleted.

l Run:undelete filename

The deleted file is recovered.

NOTE

If the current directory is not the parent directory, you must operate the file by using the absolutepath. If you use the parameter /unreserved in the delete command, the file cannot be restored afterbeing deleted.

l Run:reset recycle-bin [ /f | filename ]

The file is deleted.

You can permanently delete files in the recycle bin./f specifies that you can delete all filesfrom the recycle bin without prompting whether to delete the files.

l Running Files in Batch

You can upload the files and then process the files in batches. The edited batch files needto be saved in the storage devices on the router.

When the batch file is created, you can run the batch file to implement routine tasksautomatically.

1. Run:system-view


execute filename

The batched file is executed.l Configuring Prompt Modes

The system displays prompts or warning messages when you operate the device (especiallythe operations leading to data loss). If you need to change the prompt mode for fileoperations, you can configure the prompt mode of the file system.

1. Run:system-view


file prompt { alert | quiet }

The prompt mode of the file system is configured.

By default, the prompt mode is alert.



196

CAUTIONIf the prompt is in the quiet mode, no prompt appears for data lossdue to maloperation.

----End

Related Tasks10.5.2 Example for Managing Files

10.5 Configuration ExamplesThis section provides examples for using the file system. Each configuration example consistsof the networking requirements, configuration notes, configuration roadmap, configurationprocedures, and configuration files.

10.5.1 Example for Managing a DirectoryThis section describes how to manage a directory.

Networking RequirementsThe router on which you need to manage a directory is correctly configured.



1. View the current directory.2. Create a new directory.3. Check that the new directory is successfully created.


l Name of the directory to be created

Procedure

Step 1 Display the current directory.<HUAWEI> dirDirectory of cfcard:/ Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg 1 -rw- 524,575 Jan 25 2010 10:03:33 private-data.txt 2 drw- - Sep 09 2009 09:42:52 src



197

3 drw- - Sep 09 2009 09:42:53 logfile 4 -rw- 280 Sep 09 2009 09:42:53 $_patch_rollback_state 5 -rw- 11,772 Nov 25 2009 16:56:55 $_patchstate_a 6 -rw- 4 Jan 19 2010 03:09:32 snmpnotilog.txt 7 drw- - Sep 09 2009 09:43:00 lam 8 -rw- 2,584 Jan 21 2010 12:02:18 vrpcfg.cfg 9 drw- - Jan 21 2010 11:09:21 logfilelogfile

180,862 KB total (305,358 KB free)

Step 2 Create a new directory in the root directory.<HUAWEI> mkdir abcInfo:Create directory cfcard:/abc......Done.

Step 3 Display the current directory. You can view that the new directory is successfully created.<HUAWEI> dirDirectory of cfcard:/ Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg 1 -rw- 524,575 Jan 25 2010 10:03:33 private-data.txt 2 drw- - Sep 09 2009 09:42:52 src 3 drw- - Sep 09 2009 09:42:53 logfile 4 -rw- 280 Sep 09 2009 09:42:53 $_patch_rollback_state 5 -rw- 11,772 Nov 25 2009 16:56:55 $_patchstate_a 6 -rw- 4 Jan 19 2010 03:09:32 snmpnotilog.txt 7 drw- - Sep 09 2009 09:43:00 lam 8 -rw- 2,584 Jan 21 2010 12:02:18 vrpcfg.cfg 9 drw- - Jan 21 2010 11:09:21 logfilelogfile 10 drw- - Jan 23 2010 11:10:42 abc180,862 KB total (305,358 KB free)

----End

Related Tasks10.3 Managing the Directory

10.5.2 Example for Managing FilesThis section provides an example for managing files.

Networking RequirementsBy configuring the file system of the router, a user can operate the router through the consoleport and copy files to the specified directory.

The file path in the storage device must be correct. If the user does not specify a target file name,the source file name is the name of the target file by default.



1. Check the files under a certain directory.2. Copy a file to this directory.3. Check this directory and view that the file is copied successfully to the specified directory.



198


l Source file name and target file namel Source file path and target file path

Procedure

Step 1 Display the file information in the current directory.<HUAWEI> dirDirectory of cfcard:/ Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg 1 -rw- 524,575 Jan 25 2010 10:03:33 private-data.txt 2 drw- - Sep 09 2009 09:42:52 src 3 drw- - Sep 09 2009 09:42:53 logfile 4 -rw- 280 Sep 09 2009 09:42:53 $_patch_rollback_state 5 -rw- 11,772 Nov 25 2009 16:56:55 $_patchstate_a 6 -rw- 4 Jan 19 2010 03:09:32 snmpnotilog.txt 7 drw- - Sep 09 2009 09:43:00 lam 8 -rw- 2,584 Jan 21 2010 12:02:18 vrpcfg.cfg 9 drw- - Jan 21 2010 11:09:21 logfilelogfile

180,862 KB total (305,358 KB free)

Step 2 Copy files from slave#cfcard2:/sample.txt to cfcard:/sample.txt.<HUAWEI> copy slave#cfcard2:/sample.txt cfcard:/sample1.txtCopy slave#cfcard2:/sample.txt to cfcard:/sample1.txt?[Y/N]: y.100% completeInfo:Copied file slave#cfcard2:/sample.txt to cfcard:/sample1.txt...Done.

Step 3 Display the file information about the current directory, and you can view that the file is copiedto the specified directory.<HUAWEI> dirDirectory of cfcard:/ Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw- 1,235 Dec 17 2009 17:10:53 vrpcfg.cfg 1 -rw- 524,575 Jan 25 2010 10:03:33 private-data.txt 2 drw- - Sep 09 2009 09:42:52 src 3 drw- - Sep 09 2009 09:42:53 logfile 4 -rw- 280 Sep 09 2009 09:42:53 $_patch_rollback_state 5 -rw- 11,772 Nov 25 2009 16:56:55 $_patchstate_a 6 -rw- 4 Jan 19 2010 03:09:32 snmpnotilog.txt 7 drw- - Sep 09 2009 09:43:00 lam 8 -rw- 2,584 Jan 21 2010 12:02:18 vrpcfg.cfg 9 drw- - Jan 21 2010 11:09:21 logfilelogfile 10 drw- 1,605 Jan 23 2010 14:30:32 sample1.txt

180,864 KB total (305,356 KB free)

----End

Related Tasks10.4 Managing Files



199

11 Clock Synchronization Configuration

About This Chapter

11.1 Clock Synchronization OverviewOn a digital communication network (DCN), clock synchronization ensures the normalcommunication between the sender and receiver by enabling the sender to send and the receiverto obtain digital pulse signals in the same timeslots.

11.2 Clock Synchronization Features Supported by the NE5000E(NE5000E-X16)Before configuring clock synchronization, familiarize yourself with the concepts of the BITSclock signal, POS line clock signal, clock source selection mode, and so on. This will help youcomplete the configuration task quickly and efficiently.

11.3 Configuring an External BITS Clock Reference SourceYou can configure a device to trace different types of external BITS clock reference sources.(This configuration can be done on the NE5000E-X16 or the NE5000E using the new clockboard CR52CLKB.)

11.4 Specifying a Clock Source ManuallyIn manual mode, you can specify a certain clock source for the clock board to trace.

11.5 Configuring Automatic Clock Source Selection to Be Based on PrioritiesWhen a device has multiple clock sources but does not perform clock source switching basedon SSM levels, you can set different priorities for the clock sources. When the clock source withthe highest priority fails, the clock board switches to use the clock source with the second highestpriority.

11.6 Configuring Automatic Clock Source Selection to Be Based on SSM LevelsWhen there are multiple clock sources, the clock board uses the clock source with the highestSSM level. When the clock source with the highest SSM level fails, the clock board uses theclock source with the second highest SSM level.

11.7 Configuration ExamplesThis section describes how to configure protection switching among clocks with an example. Inthis configuration example, the networking requirements, configuration notes, and configurationroadmap are provided.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - Basic Configurations 11 Clock Synchronization Configuration


200

11.1 Clock Synchronization OverviewOn a digital communication network (DCN), clock synchronization ensures the normalcommunication between the sender and receiver by enabling the sender to send and the receiverto obtain digital pulse signals in the same timeslots.

ConceptsClock synchronization refers to the maintenance of a strict relationship between the frequenciesor signal phases of all the devices on a network. This means that signals are transmitted at thesame average rate during a valid period, which allows all the devices on the network to work atthe same rate.

On a digital communication network, the send end sends digital pulse signals in specifictimeslots, and the receive end extracts pulses from these timeslots. In this manner, the send endand the receive end can communicate with each other. The clocks of the send end and the receiveend must be synchronized, which is the prerequisite for normal communication between the twoends. Clock synchronization can ensure that the clocks on the send end and the receive end aresynchronized.

PurposeClock synchronization is a technique that limits the difference in terms of the clock frequencyor phase between the network elements (NEs) on digital networks to be within a certain range.Ona digital communication network, discrete pulses obtained from Pulse Code Modulation (PCM)-coded information are transmitted. If the clock frequencies of two digital switching devicesdiffer, or digital bit streams are corrupted due to interference during transmission, phase drift orjitter occurs. Consequently, the buffer of the digital switching system experiences data loss orduplication, resulting in incorrect transmission of the bit streams. If the frequency difference orphase difference is beyond the allowed range, error codes and jitter may occur, which causesnetwork transmission performance to deteriorate.

Classification and Numbering of Clock SourcesA device that provides clock signals for another device is called the clock source. A device mayhave multiple clock sources. The following table shows the classification and numbering ofclock sources.

Table 11-1 Classification and numbering of clock sources

Type Description Number

Internal clocksource

The reference clock provided by the clockboard of a device is used as the clock of thedevice.

0



201

BITS clocksource

Currently,SynchronousDigitalHierarchy(SDH) orPlesiochronousDigitalHierarchy(PDH) uses theBuildingIntegratedTiming SupplySystem (BITS)to build up adigitalsynchronizationnetwork andform ahierarchicaltimingallocationsystem.

On the NE5000E usingthe clock boardCR52CLKA:l The clock interface on

the MPU receives andtraces the clock of ahigher level.

On the NE5000E usingthe clock boardCR52CLKA:l The number of BITS0

clock source is 1.l The number of BITS1

clock source is 2.

On the NE5000E-X16 orthe NE5000E using thenew clock boardCR52CLKB:l The clock bits-type

command can be usedto configure a device totrace different types ofexternal BITS clockreference sources.

NOTEThe signal types supportedby the interfaces aredescribed in Table 11-2 ofClock SynchronizationFeatures Supported by theNE5000E(NE5000E-X16).

On the NE5000E-X16or the NE5000E usingthe new clock boardCR52CLKB:l The clock bits-map

command can be usedto map an externalclock reference sourceto the index of a userclock referencesource.

Line clocksource

The clock board of a device extracts the clocksignal from the STM-N line signal as the clockof the device.

Slot ID of an LPU + 2For example, the numberof the clock source on theLPU in slot 1 is 3 and thenumber of the clocksource on the LPU in slot2 is 4.

11.2 Clock Synchronization Features Supported by theNE5000E(NE5000E-X16)

Before configuring clock synchronization, familiarize yourself with the concepts of the BITSclock signal, POS line clock signal, clock source selection mode, and so on. This will help youcomplete the configuration task quickly and efficiently.

Tracing or Outputting BITS Clock Signals Through Clock InterfacesNOTE

Limited by the lengths of clock cables, the mode of tracing or outputting BITS clock signals through clockinterfaces is applicable to the interfaces on a site. For the limit on the clock cable length, see the "ClockCable" in the section "Cables" in the HUAWEI NetEngine5000E Core Router Hardware Description -NE5000E-X16 Hardware Description.

On the NE5000E using the clock board CR52CLKA:



202

l The BITS clocks that devices can obtain from a BITS clock device are classified into twotypes: 2.048 MHz clocks and 2.048 Mbit/s clocks. The input modes of BITS clocks areclassified into BITS0 and BITS1. A router obtains a clock through a clock interface on theMPU.

l The MPU on the NE5000E provides four clock interfaces. Two of them are input interfaces,which are connected to BITS devices to obtain clock signals. The other two are outputinterfaces, which are connected to the clock input interfaces on downstream devices toprovide time signals to the downstream devices.

NOTE

The difference between the 2.048 MHz clock and 2.048 Mbit/s clock is that the 2.048 MHz clockcan provide only pulse signals for clock synchronization, and the 2.048 MHz clock can providesignals bearing services in addition to pulse signals for clock synchronization.

On the NE5000E-X16 or the NE5000E using the new clock board CR52CLKB:

l The MPU provides four clock interfaces, CLK/TOD0, CLK/TOD1, CLK/1PPS, and CLK/Serial.

NOTE

For the schematic diagram of the clock interfaces on the MPU, see the section "Control Plane" in thechapter "NE5000E-X16 CLC" in the HUAWEI NetEngine5000E Core Router HardwareDescription - NE5000E-X16 Hardware Description.

l CLK/TOD0 and CLK/TOD1 are also called BITS0 and BITS1 respectively. CLK/1PPSand CLK/Serial, as two SMB interfaces, are bound together to form BITS2. A BITSinterface transmits only one type of signal at a time.

l RJ45 interfaces and SMB interfaces must be connected to dedicated clock cables to inputand output clock signals. For the description of the clock cable, see the "Clock Cable" inthe section "Cables" in the HUAWEI NetEngine5000E Core Router Hardware Description- NE5000E-X16 Hardware Description.

l The NE5000E-X16 or the NE5000E using the new clock board CR52CLKB can beconfigured to trace different types of external BITS clock reference sources by using theclock bits-type command.

l An external clock reference source can be mapped to the index of a user clock referencesource by using the clock bits-map command.

The signal types supported by clock interfaces are listed in the following table.



203

Table 11-2 Signal input or output on BITS interfaces

InterfaceName on theClock Board

Interface NameIdentified bySoftware

InterfaceType

Type of Input or Output Signals

CLK/TOD0 BITS0 RJ45 Clock signals:l 2.048 Mbit/s clock signalsl 2.048 MHz clock signalsTime signals:l 1PPS (RS422)+ASCII (RS422)

time signalsl Two DCLS clock channels (one

channel for input, and the otherchannel for output)

CLK/TOD1 BITS1 RJ45 Clock signals:l 2.048 Mbit/s clock signalsl 2.048 MHz clock signalsTime signals:l 1PPS (RS422)+ASCII (RS422)

time signalsl Two DCLS clock channels (one

channel for input, and the otherchannel for output)

CLK/1PPS BITS2 SMB Clock signals:l 2.048 Mbit/s clock signalsl 2.048 MHz clock signalsTime signals:l 1PPS (TTL)+ASCII (RS232) time

signals

CLK/Serial SMB

l If a BITS interface transmits 2.048 Mbit/s, 2.048 MHz, or two channels of DCLS timesignals, you do not need to configure input or output to specify signal input or output. Itis because these types of clock signals are both input and output on the same interface. Forexample, if BITS0 transmits 2.048 Mbit/s time signals, BITS0 inputs and outputs 2.048Mbit/s clock signals.

l If a BITS interface transmits 1PPS+ASCII time signals, signal input or output must bespecified. It is because 1PPS+ASCII time signals can be either input or output at a time onan interface.

l If BITS2 is used to transmit 1PPS+ASCII time signals (RS232), both the two SMBinterfaces either input or output the time signals. If BITS2 transmits clock signals, CLK/1PPS is always used to input signals and CLK/Serial is always used to output signals.

The limitations on the output of different types of time signals on a device are as follows:

l If only one channel of time signals needs to be output, the signals can be successfully output.



204

l If two channels of 1PPS+ASCII signals need to be output at the same time, they can besuccessfully output.

l If one channel of 1PPS+ASCII signals and one channel of DCLS signals need to be outputat the same time, only the 1PPS+ASCII signals can be successfully output.

Sending or Receiving Clock Signals Through POS Interfaces or 10GE WANInterface

Information about the master clock is contained in STM-N signals. After receiving STM-Nsignals through LPUs, the clock boards of the MPUs on other devices extract the clockinformation from the STM-N signals, and then synchronize with the master clock. Sending orreceiving clock signals through POS interfaces is a commonly used clock synchronization mode.In this mode, POS, Asynchronous Transfer Mode (ATM), and Resilient Packet Ring (RPR) linkscan be used to implement clock synchronization, and thus no clock synchronization networkneeds to be built up. The NE5000E can send or receive clock signals through a POS interfaceor 10GE WAN Interface.

Clock Source Selection ModeOn a digital communication network, every router traces the same primary clock level by levelaccording to clock synchronization paths to implement clock synchronization on the network.Usually, one router has more than one path for clock tracing, and has multiple available clocksources. These clock sources may originate from either the same master clock or reference clocksof different qualities. Keeping the clocks of all routers synchronous is very important for a digitalcommunication network. Dynamic clock source selection can be used to prevent the failure ofone clock synchronization path from affecting the entire network.

Currently, the NE5000E supports two modes of clock source selection: the manual mode andthe automatic mode.

l Manual modeThis mode allows you to configure the clock board to always trace a specified clock sourceand not to trace another one even if the specified clock source fails.

l Automatic modeIn this mode, clock source selection is based on either priorities of clock sources orSynchronous Status Message (SSM) levels of clock sources.An SSM is a group of codes used to indicate the level of clock quality on a synchronizationnetwork. For details about each SSM level, see Chapter "Clock Synchronization" in theHUAWEI NetEngine5000E Core Router Feature Description - Basic Configurations.– Automatic clock source selection based on priorities: A clock board selects the clock

source with the highest priority. If the clock source with the highest priority is lost, theclock board automatically switches to trace the clock source with the second highestpriority. If the clock source with the highest priority recovers, the clock board traces theclock source again. SSM levels are not involved. Clock source priorities areconfigurable. If a clock source priority defaults to 19, the clock source will not beselected during protection switching.

NOTEClock source priorities are locally valid, and are not sent to downstream devices by clock signals.

– Automatic clock source selection based on SSM levels: A clock board selects the clocksource with the highest SSM level. If the SSM levels of the clock sources are the same,the clock board selects a clock source among the clock sources based on their priorities.



205

If the clock source with the highest SSM level is lost, the clock board automaticallyswitches to trace the clock source with the second highest SSM level. If the originalclock source with the highest SSM level recovers, the clock board traces the clock sourceagain. The SSM level of a clock source can be specified or obtained from clock signalssent from an upstream device. If the SSM level of a clock source is DNU and automaticclock source selection based on SSM levels is adopted, the clock source is not selectedduring protection switching.

NOTEFor BITS clock source signals received by the system, if the signal type is 2.048 Mbit/s, the SSMlevel is extracted by the clock module from signals; if the signal type is 2.048 MHz, the SSMlevel needs to be configured.

Configuration Procedures1. On the NE5000E using the clock board CR52CLKA, configure the types of the BITS input

and output clocks; on the NE5000E-X16 or the NE5000E using the new clock boardCR52CLKB, configure the external BITS clock reference source.

2. Manually configure the clock source as needed.3. Configure the system to automatically select a clock source based on the SSM levels or

priorities of clock sources.

11.3 Configuring an External BITS Clock Reference SourceYou can configure a device to trace different types of external BITS clock reference sources.(This configuration can be done on the NE5000E-X16 or the NE5000E using the new clockboard CR52CLKB.)

Applicable EnvironmentOn a synchronization Ethernet network, if there is a BITS clock on the same site as the router,the router must be configured to trace the BITS clock. The router serves as the master clock toprovide primary clock signals for the entire network.

The BITS signal type may be 2.048 MHz, 2.048 Mbit/s, 1PPS, or DCLS, which can be configuredon the clock board by using commands.

Pre-configuration TasksNone.


Figure 11-1 Flowchart for configuring an external BITS clock reference source

Mandatory step

Optionalstep

Configuring an External Clock Reference Source for the Router and the Clock Signal Type

Configuring a Mapping from an External Clock Reference Source to the Index of a User Clock

Source for the Router



206

11.3.1 Configuring an External Clock Reference Source for therouter and the Clock Signal Type

The NE5000E-X16 or the NE5000E using the new clock board CR52CLKB supports threeexternal clock source types, which are BITS0, BITS1, and BITS2, and four clock signal types,which are 2.048 MHz, 2.048 Mbit/s, DCLS, and 1PPS.

ContextDo as follows on all the routers in the clock synchronization network:

Procedure



Step 2 Run:clock bits-type

An external BITS clock reference source and its signal type are configured.

For information about the available clock reference source IDs and signal types, see the HUAWEINetEngine5000E Core Router Command Reference.

Step 3 Run:commit


----End

11.3.2 Configuring a Mapping from an External Clock ReferenceSource to the Index of a User Clock Source for the router

On the NE5000E-X16 or the NE5000E using the new clock board CR52CLKB, BITS0, BITS1,or BITS2 can be mapped to the index of a user clock source. The index will be used in manualselection of a clock source.

ContextDuring the configuration of clock synchronization, the indexes of user clock sources are requiredin the selection of clock sources. Therefore, each clock source must be mapped to the index ofa user clock source.

Do as follows on all the routers in the clock synchronization network:

Procedure




207


Step 2 Run:clock bits-map { bits0 | bits1 | bits2 } source source-value

An external clock reference source is mapped to the index of a user clock source.

Step 3 Run:commit


----End

11.3.3 Checking the ConfigurationAfter external BITS clock reference sources are configured for the device, you can check thestatus of the sources and whether the mappings between the external BITS clock referencesources and the indexes of user clock reference sources have taken effect.

ContextRun the following commands to check the previous configurations:

Procedurel Run the display clock bits-type command to check external reference clock sources on

the clock board and their signal types.l Run the display clock source command to check whether external clock reference sources

are successfully mapped to the indexes of user clock reference sources.

----End

Example

Check the external clock reference sources on the clock board and their signal types.

<HUAWEI>display clock bits-type bits0: 2mbps bits1: 2mbps bits2: 2mbps

Check the configured mappings between external clock reference sources and indexes of userclock reference sources.

<HUAWEI>display clock sourceMaster clock source:------------------------------------------------------------------------------ Source Description Priority Sa-bit Input SSM Forcessm Sourcestate ------------------------------------------------------------------------------* 1 BITS0 13 sa4 lnc on abnormal 2 BITS1 19 sa4 unknown on abnormal ------------------------------------------------------------------------------Slave clock source:------------------------------------------------------------------------------ Source Description Priority Sa-bit Input SSM Forcessm Sourcestate ------------------------------------------------------------------------------ 1 BITS0 13 sa4 lnc on abnormal 2 BITS1 19 sa4 unknown on abnormal ------------------------------------------------------------------------------



208

11.4 Specifying a Clock Source ManuallyIn manual mode, you can specify a certain clock source for the clock board to trace.

Applicable EnvironmentIf it is determined that a device always traces a certain clock source and does not need performprotection switching, you can specify a clock source for the device. When the specified clocksource fails, the system, however, does not switch to trace another clock source. Therefore, themode of specifying a clock source for a device is not recommended.

In manual mode, you can specify a certain clock source for the clock board to trace. In this mode,only one clock source can be specified. If the specified clock source is lost, the system entersthe hold-in state. When the precision of the clock in the hold-in state decreases, the device entersthe free running state. In this case, the clock frequency of the device may be different from thatof other devices.

NOTEIn the mode of automatically selecting a clock source, the clock source specified manually does not takeeffect.

Pre-configuration TasksBefore manually specifying a clock source, complete the following tasks: Ensuring that thedevice can normally receive clock source signals from the outside and select the manuallyspecified BITS clock source or line clock source based on the type of the received external clocksource signals.

Procedure

Step 1 Manually configure the clock board to use the BITS clock reference source.1. Run:

system-view


clock manual source source-value

The device is configured to use the BITS clock source received through the clock interface.3. Run:

commit


Step 2 Manually configure the clock board to use the line clock source.1. Run:

system-view


clock source lpuport slot slot-id card card-number port port-number



209

The specified POS interface is enabled to report received clock source signals to the clockboard.

3. Run:clock manual source source-value

The device is configured to use the line clock source received through the clock interface.

The value of source-value can be only the reference source to which the installed LPU. Thenumber of the line clock source is equal to the slot ID of the LPU plus 2.

4. Run:commit


----End

Checking the ConfigurationRun the following commands to check the previous configuration.

Run the display clock config command, and you can view the information about manuallyspecified clock sources. For example:

<HUAWEI>display clock configdisplay clock configCurrent source : 9Workmode : manualSSM control : offPrimary source : 9Output SSM Level : bits0: unknown bits1: sets bits2:-- bits3: unknownPLL state : Current source step into pull-in rangeRun mode : Clock is in lock mode

11.5 Configuring Automatic Clock Source Selection to BeBased on Priorities

When a device has multiple clock sources but does not perform clock source switching basedon SSM levels, you can set different priorities for the clock sources. When the clock source withthe highest priority fails, the clock board switches to use the clock source with the second highestpriority.

Applicable EnvironmentWhere there are multiple clock sources, you can set priorities for the clock sources based ontheir quality. In normal situations, a clock board uses the clock source with the highest priority.When the clock source with the highest priority fails, the clock board uses the clock source withthe second highest priority. When the default priority (19) of a clock reference source is used,the clock board does not select the clock reference source during protection switching.

If you configure protection switching according to the priorities of clock sources, you need toconfigure clock source selection not to be based on SSM levels.

Pre-configuration TasksBefore configuring automatic clock source selection based on priorities, complete the followingtask:



210

l Ensuring that a device can normally receive multiple clock source signals from anotherdevice


Figure 11-2 Flowchart for configuring automatic clock source selection based on priorities

Mandatory step

Optional step

Configure the system to automatically select a clock

source.

Configuring SSM levels not to participate in protection switching

Set the priority of the clock source.

11.5.1 Configuring the System to Automatically Select a ClockSource

By default, the system automatically selects a clock source unless you specify a clock sourcefor the system.

ContextDo as follows on the router:

Procedure



Step 2 Run:clock auto

The system is configured to automatically select a clock source.

Step 3 Run:commit


----End



211

11.5.2 Configuring Clock Source Selection Not to Be Based on SSMLevels

If you configure protection switching according to the priorities of clock sources, you need toconfigure clock source selection not to be based on SSM levels.


Procedure



Step 2 Run:clock ssm-control off

Clock source selection is configured not to be based on SSM levels.

NOTE

When clock source selection is not based on SSM levels, the system selects a clock source according tothe priorities of clock sources.

Step 3 Run:commit


----End

11.5.3 Setting the Priority of a Clock SourceSetting the priorities of clock sources is a mandatory step for configuring automatic clock sourceselection according to priorities. Therefore, you need to perform the configuration on all routerson a DCN.

ContextTo ensure that the system can select a high-quality clock source, you need to the set prioritiesof the clock sources received by the device based on the quality of the clock sources. The smallerthe priority value of a clock source, the higher the priority.

Do as follows on the router:

Procedure



Step 2 Run:clock priority priority-value source source-value



212

The priority of a clock source is set.

To set the priorities for multiple clock sources, repeat Step 2.

NOTE

l If the priority of a reference source is 19 (default value), this reference source is not chosen duringprotection switching. The smaller the priority value, the higher the priority.

l In Step 2, you can set the same priority for multiple clock sources. When clock source selection isperformed based on priorities but the priorities of the clock sources are the same, clock source selectionis performed based on the sequence numbers of clock sources in an ascending order.

l If the clock interface on the MPU is not connected to any external clock source, the system ignoresBITS0 and BITS1 when automatically selecting a clock source according to the priorities of clocksources. Instead, the system directly selects a clock source from the line clock sources of an LPU.

Step 3 Run:commit


----End

11.5.4 Checking the ConfigurationBy viewing the priority of each clock source, you can determine whether the configuration issuccessful.

Prerequisite

All the configurations for automatic clock selection based on priorities are complete.

Procedurel Run the display clock source command to check the priority of each clock source.

----End

Example

Run the display clock source command, and you can view the priority of each clock source.For example:

<HUAWEI>display clock sourceMaster clock source:------------------------------------------------------------------------------ Source Description Priority Sa-bit Input SSM Forcessm Sourcestate ------------------------------------------------------------------------------* 1 BITS0 13 sa4 lnc on abnormal 2 BITS1 19 sa4 unknown on abnormal 9 LPU7 19 -- unknown on abnormal ------------------------------------------------------------------------------Slave clock source:------------------------------------------------------------------------------ Source Description Priority Sa-bit Input SSM Forcessm Sourcestate ------------------------------------------------------------------------------ 1 BITS0 13 sa4 lnc on abnormal 2 BITS1 19 sa4 unknown on abnormal 9 LPU7 19 -- unknown on abnormal ------------------------------------------------------------------------------



213

11.6 Configuring Automatic Clock Source Selection to BeBased on SSM Levels

When there are multiple clock sources, the clock board uses the clock source with the highestSSM level. When the clock source with the highest SSM level fails, the clock board uses theclock source with the second highest SSM level.


During automatic clock source selection based on priorities, the priorities of clock sources areset. If the priorities of clock sources are not set based on the quality of the clock sources, thedevice may select a clock source of low quality. The SSM levels are defined based oninternational standard protocols. The higher the precision of a clock source, the higher the SSMlevel of the clock source. When the switching among clock sources is performed based on SSMlevels, the device can select a clock source of higher precision.

When a device has multiple clock sources, the device selects a clock source based on the SSMlevels of the clock sources. The higher the clock precision, the higher the SSM level. In normalsituations, a clock board uses the clock source with the highest SSM level. When the clock sourcewith the highest SSM level fails, the clock board uses the clock source with the second highestSSM level.

When a clock board is powered on, the SSM level of all clock sources defaults to Unknown.The sequence of the SSM levels is Primary Reference Clock (PRC), Transit Node Clock (TNC),Local Node Clock (LNC), Synchronous Equipment Timing Source (SETS), Unknown, and Donot use for synchronization (DNU) in a descending order. If the SSM level of a clock source isDNU and clock source selection is not based on the SSM levels of clock sources, the clock sourceis not selected during protection switching.

The SSM level of a clock source can be obtained in either of the following modes:

l Automatically extracting the SSM levels of clock sources from the received clock sourcesignals: If the clock source signals received from an upstream device contain SSM levels,the SSM levels can be used and you do not need to specify SSM levels for the clock sources.

l Manually specifying the SSM levels of BITS clock sources: If clock source signals receivedfrom an upstream device do not contain any SSM level, you need to specify the SSM levelfor each BITS clock source manually.

NOTE

In actually applications, the clock source signals received from lines contain SSM levels. Therefore, it isnot recommended to specify the SSM levels for line clock sources.

BITS clock sources have two types of signals. When the rate of a clock signal is 2.048 Mbit/s, the clockboard can extract the SSM level of the clock source from the clock signal if the clock signal contains theSSM level of the clock source. In addition, you can manually specify the SSM level for the clock sourceif the clock signal does not contain the SSM level of the clock source. When the frequency of a clock signalof a clock source is 2.048 MHz, you must manually specify an SSM level for the clock source.


Before configuring automatic clock source selection based on SSM levels, complete thefollowing task:



214

l Ensuring that a device can normally receive multiple clock source signals from anotherdevice


Figure 11-3 Flowchart for configuring automatic clock source selection based on SSM levels

Configure the system to automatically select a clock

source.

Configuring Clock Source Selection to Be Based on SSM

Levels

Configure the 2.048-Mbit/s BITS clock source to bear SSM

timeslots.

Mandatory step

Optional step

Setting the SSM Level of a 2.048 MHz BITS Clock Source

11.6.1 Configuring the System to Automatically Select a ClockSource

By default, the system automatically selects a clock source unless you specify a clock sourcefor the system.


Procedure



Step 2 Run:clock auto

The system is configured to automatically select a clock source.

Step 3 Run:commit



215


----End

11.6.2 Configuring Clock Source Selection to Be Based on SSMLevels

Setting the SSM levels of clock sources is a mandatory step for configuring dynamic clock sourceselection based on SSM levels. Therefore, you need to perform the configuration on all routerson a DCN.


After the following configurations, the router can select a clock source and perform switchingprotection based on the SSM levels of received clock sources.

Procedure



Step 2 Run:clock ssm-control on

Clock source selection is configured to be based on SSM levels.

Step 3 Run:commit


----End

11.6.3 (Optional) Setting the SSM Level of a 2.048 MHz BITS ClockSource

You need to the configure clock source selection based on SSM levels of 2.048 MHz BITS clocksources on routers connected to an external BITS clock.

ContextBecause the 2.048 MHz BITS clock source signals received by a device do not contain any SSMlevel, you need to specify the SSM levels for the clock sources to ensure that clock sourceselection is based on SSM levels of the clock sources.

Do as follows on the router:

Procedure




216


Step 2 Run:clock source { 1 | 2 } force ssm on

The function of setting an SSM level for a clock source is configured.

Step 3 Run:clock source { 1 | 2 } ssm { unknown | prc | tnc | lnc | sets | dnu }

An SSM level is specified for a 2.048 MHz BITS clock source.

NOTEsource-value: Specifies the index of a user clock source.

l For the NE5000E, the index of the external clock source BITS0 is 1 and the index of the external clocksource BITS2 is 2.

l For the NE5000E-X16, the mapping relationship between an external clock source and the index of auser clock source must be established by using the clock bits-map { bits0 | bits1 | bits2 } sourcesource-value command.

Step 4 Run:commit


----End

11.6.4 Configuring SA Timeslots in 2.048 Mbit/s BITS Clock SourceSignals to Bear SSM Levels

Configuring clock source selection based on SSM levels is optional and can be performed on arouter connected to a 2.048 Mbit/s BITS clock.

ContextBITS clock sources have two types of clock signals. When the clock signal type is 2.048 Mbit/s, the clock board can extract an SSM level from the SA timeslot if the SA timeslot contains theSSM level of the clock source. The default SA timeslots containing SSM levels in the clocksignals generated by the clock devices of different manufacturers are different. Therefore, toensure that the NE5000E can correctly extract the SSM levels contained in clock signals, youneed to configure the SA timeslots in 2.048 Mbit/s BITS clock source signals to bear SSM levelson the NE5000E.

Do as follows on the router connected to an external BITS clock:

Procedure



Step 2 Run:clock sa-bit { sa4 | sa5 | sa6 | sa7 | sa8 } source source-value

The SA timeslots in 2.048 Mbit/s BITS clock source signals are configured to bear SSM levels.



217

Step 3 Run:commit


----End

11.6.5 Checking the ConfigurationBy viewing the SSM level of each clock source, you can determine whether the configurationis successful.

PrerequisiteAll the configurations of automatic clock source selection based on SSM levels are complete.

Procedurel Run the display clock config command to check the SSM level of the clock source being

used by the system.l Run the display clock source command to check the SSM levels of all clock sources of

the system.

----End

ExampleRun the display clock config command, and you can view the SSM level of the clock sourcebeing used by the system. For example:

<HUAWEI>display clock configCurrent source : 1Workmode : autoSSM control : onOutput SSM Level : lncPLL state : Current source step into pull-in rangeRun mode : Clock is in lock mode

Run the display clock source command, and you can view the SSM levels of all clock sourcesof the system. For example:

<HUAWEI>display clock sourceMaster clock source:---------------------------------------------------------------------------------------Source Description Priority Sa-bit Input SSM Forcessm Sourcestate--------------------------------------------------------------------------------------- 1 BITS0 10 sa4 unknown on abnormal* 2 BITS1 19 sa4 lnc on normal 3 LPU1 19 -- unknown on abnormal---------------------------------------------------------------------------------------Slave clock source:---------------------------------------------------------------------------------------Source Description Priority Sa-bit Input SSM Forcessm Sourcestate--------------------------------------------------------------------------------------- 1 BITS0 10 sa4 unknown on abnormal 2 BITS1 19 sa4 lnc on normal 3 LPU1 19 -- unknown on abnormal



218

---------------------------------------------------------------------------------------

11.7 Configuration ExamplesThis section describes how to configure protection switching among clocks with an example. Inthis configuration example, the networking requirements, configuration notes, and configurationroadmap are provided.

11.7.1 Example for Configuring Protection Switching Among ClockSources

When there are multiple clock sources, you can set different priorities for them. In normalsituations, a clock board uses the clock source with the highest priority. When the clock sourcewith the highest priority fails, the clock board uses the clock source with the second highestpriority.


CAUTIONOn a single NE5000E, an interface is numbered in the format of slot number/card number/interface number. On the NE5000E cluster, an interface is numbered in the format of chassisID/slot number/card number/interface number; a slot is numbered in the format of chassis ID/slot number.

As shown in Figure 11-4, BITS clock signals enter Router A and Router D through clockinterfaces. The two external BITS clocks satisfy the requirements for the signal quality of theG.812 local clock. Normally, the devices on the entire network synchronize with the externalBITS clock of Router A.

When the link between any two routers except the link between Router D and Router E is faulty,the protection switching among clock sources is performed as follows:

l When the external BITS clock of Router A becomes faulty, all routers trace the externalBITS clock of Router D.

l When the external BITS clock of Router D becomes faulty, all routers trace the externalBITS clock of Router A.

l When the external BITS clock of Router A becomes faulty and then the external BITS clockof Router D becomes faulty, all routers trace the internal clock of Router D.

l When the external BITS clock of Router D becomes faulty and then the external BITS clockof Router A becomes faulty, all routers trace the internal clock of Router A.



219

Figure 11-4 Networking diagram for configuring protection switching among clock sources

BITS

BITS

POS1/0/0W

POS1/0/0 E

WPOS2/0/0

E

POS1/0/040.1.1.2

W

POS1/0/040.1.1.1

EPOS2/0/050.1.1.1

W POS2/0/030.1.1.2

E POS2/0/030.1.1.1

W POS1/0/020.1.1.2

E POS1/0/020.1.1.1

WPOS2/0/010.1.1.2

EPOS2/0/010.1.1.1

RouterA

RouterB RouterF

RouterC

RouterD

RouterE

Configuration Notes

None.



1. Configure the type of the external BITS clock to which Router A and Router D areconnected to 2.048 Mbit/s.

2. Configure the priority of the clock source on each router. This ensures that the protectionswitchover of clock sources is performed based on priorities when a fault occurs.

Data Preparation

To complete the configuration, you need the following data: ID and priority of the clock sourceof each router, as shown in Table 11-3.

Table 11-3 Clock sources and their priorities of each router

router ClockSource inUse

Available ClockSource

ID Priority

Router A BITS0 BITS0 1 1



220

router ClockSource inUse

Available ClockSource

ID Priority

Router A BITS0 LPU2 4 2

Router A BITS0 LPU1 3 3

Router A BITS0 Internal clock 0 4

Router B LPU1 LPU1 3 1

Router B LPU1 LPU2 4 2

Router B LPU1 Internal clock 0 3

Router C LPU2 LPU2 4 1

Router C LPU2 LPU1 3 2

Router C LPU2 Internal clock 0 3

Router D LPU1 LPU1 3 1

Router D LPU1 LPU2 4 2

Router D LPU1 BITS1 2 3

Router D LPU1 Internal clock 0 4

Router E LPU1 LPU1 3 1

Router E LPU1 LPU2 4 2

Router E LPU1 Internal clock 0 3

Router F LPU2 LPU2 4 1

Router F LPU2 LPU1 3 2

Router F LPU2 Internal clock 0 3

ProcedureStep 1 Set the type of the external BITS clock sources of Router A and Router D to 2.048 Mbit/s.

Step 2 Connect BITS clock cables to each router, as shown in Figure 11-4.

Step 3 Configure the IP addresses for interfaces on each router. The configuration details are notmentioned here.

Step 4 Set priorities of clock sources of each router, as shown in Figure 11-4.

# Configure Router A.

<RouterA> system-view[~RouterA] clock auto[~RouterA] clock ssm-control off[~RouterA] clock priority 1 source 1[~RouterA] clock priority 2 source 4



221

[~RouterA] clock priority 3 source 3[~RouterA] commit

# Configure Router B.

<RouterB> system-view[~RouterB] clock auto[~RouterB] clock ssm-control off[~RouterB] clock priority 1 source 3[~RouterB] clock priority 2 source 4[~RouterB] commit

# Configure Router C.

<RouterC> system-view[~RouterC] clock auto[~RouterC] clock ssm-control off[~RouterC] clock priority 1 source 4[~RouterC] clock priority 2 source 3[~RouterC] commit

# Configure Router D.

<RouterD> system-view[~RouterD] clock auto[~RouterD] clock ssm-control off[~RouterD] clock priority 1 source 3[~RouterD] clock priority 2 source 4[~RouterD] clock priority 3 source 2[~RouterD] commit

# Configure Router E.

<RouterE> system-view[~RouterE] clock auto[~RouterE] clock ssm-control off[~RouterE] clock priority 1 source 3[~RouterE] clock priority 2 source 4[~RouterE] commit

# Configure Router F.

<RouterF> system-view[~RouterF] clock auto[~RouterF] clock ssm-control off[~RouterF] clock priority 1 source 4[~RouterF] clock priority 2 source 3[~RouterF] commit

Step 5 Check the attributes of the clock source of Router A.<RouterA> display clock source

Master clock source:-----------------------------------------------------------------------------------Source Description Priority Sa-bit Input SSM Forcessm Sourcestate-----------------------------------------------------------------------------------* 1 BITS0 1 sa4 unknown on normal 2 BITS1 19 sa4 unknown on abnormal 3 LPU1 3 -- unknown on normal 4 LPU2 2 -- unknown on normal-----------------------------------------------------------------------------------Slave clock source:----------------------------------------------------------------------------------- 1 BITS0 1 sa4 unknown on normal 2 BITS1 19 sa4 unknown on abnormal 3 LPU1 3 -- unknown on normal



222

4 LPU2 2 -- unknown on normal-----------------------------------------------------------------------------------

NOTE

"*" indicates that the clock source functions as the master clock source. The master clock source here isBITS0.

Step 6 Check the attributes of the clock sources of other routers.

# The command output of Router B, Router C, Router D, Router E, and Router F is similar. Thefollowing takes the command output of Router B as an example.

<RouterB> display clock source

Master clock source:-----------------------------------------------------------------------------------Source Description Priority Sa-bit Input SSM Forcessm Sourcestate----------------------------------------------------------------------------------- 1 BITS0 19 sa4 unknown on abnormal 2 BITS1 19 sa4 unknown on abnormal * 3 LPU1 1 -- unknown on normal 4 LPU2 2 -- unknown on normal-----------------------------------------------------------------------------------Slave clock source:-----------------------------------------------------------------------------------Source Description Priority Sa-bit Input SSM Forcessm Sourcestate----------------------------------------------------------------------------------- 1 BITS0 19 sa4 unknown on abnormal 2 BITS1 19 sa4 unknown on abnormal 3 LPU1 1 -- unknown on normal 4 LPU2 2 -- unknown on normal-----------------------------------------------------------------------------------


If the link between any two routers is disconnected or the BITS clock source is lost, protectionswitching is performed automatically. Therefore, all routers trace the same clock source toachieve clock synchronization.

The follows takes disconnecting the BITS clock of Router A as an example. Router A, RouterB, Router C, Router E, and Router F trace the BITS clock of Router D. Take the command outputof Router A as an example.

# Run the following command on Router A.

<RouterA> display clock sourceMaster clock source:-----------------------------------------------------------------------------------Source Description Priority Sa-bit Input SSM Forcessm Sourcestate----------------------------------------------------------------------------------- 1 BITS0 1 sa4 unknown on abnormal 2 BITS1 19 sa4 unknown on abnormal 3 LPU1 3 -- unknown on normal* 4 LPU2 2 -- unknown on normal-----------------------------------------------------------------------------------Slave clock source:----------------------------------------------------------------------------------



223

-Source Description Priority Sa-bit Input SSM Forcessm Sourcestate----------------------------------------------------------------------------------- 1 BITS0 1 sa4 unknown on abnormal 2 BITS1 19 sa4 unknown on abnormal 3 LPU1 3 -- unknown on normal 4 LPU2 2 -- unknown on normal-----------------------------------------------------------------------------------

After the BITS clock source of Router A is lost, it is found that the status of BITS0 clock sourceon is Router A is abnormal and the clock source used by the system is Source 4.

# After the BITS clock of Router A is lost, all routers perform protection switching based on thepriorities of clock sources. Figure 11-5 shows the clock source tracing after the BITS clocksource of Router A is lost.

Figure 11-5 Networking diagram of the clock source tracing after the BITS clock source ofRouter A is lost

BITS

W

E

W

E

W

E

W

E

W

E

W

E

RouterA

RouterB RouterF

RouterC

RouterD

RouterE

----End

Configuration Filesl Configuration file of Router A

# sysname RouterA#interface Pos1/0/0 undo shutdown link-protocol ppp ip address 60.1.1.2 255.255.255.0#interface Pos2/0/0 undo shutdown link-protocol ppp



224

ip address 10.1.1.1 255.255.255.0#clock priority 1 source 1 clock priority 2 source 4 clock priority 3 source 3#return

l Configuration file of Router B# sysname RouterB#interface Pos1/0/0 undo shutdown link-protocol ppp ip address 60.1.1.1 255.255.255.0#interface Pos2/0/0 undo shutdown link-protocol ppp ip address 50.1.1.2 255.255.255.0# clock priority 1 source 3 clock priority 2 source 4#return

l Configuration file of Router C# sysname RouterC#interface Pos1/0/0 undo shutdown link-protocol ppp ip address 40.1.1.2 255.255.255.0#interface Pos2/0/0 undo shutdown link-protocol ppp ip address 50.1.1.1 255.255.255.0# clock priority 1 source 4 clock priority 2 source 3#return

l Configuration file of Router D# sysname RouterD#interface Pos1/0/0 undo shutdown link-protocol ppp ip address 40.1.1.1 255.255.255.0#interface Pos2/0/0 undo shutdown link-protocol ppp ip address 30.1.1.2 255.255.255.0# clock priority 1 source 3 clock priority 2 source 4 clock priority 3 source 2#return

l Configuration file of Router E# sysname RouterE



225

#interface Pos1/0/0 undo shutdown link-protocol ppp ip address 20.1.1.2 255.255.255.0#interface Pos2/0/0 undo shutdown link-protocol ppp ip address 30.1.1.1 255.255.255.0#clock priority 1 source 3 clock priority 2 source 4#return

l Configuration file of Router F# sysname RouterF#interface Pos1/0/0 undo shutdown link-protocol ppp ip address 20.1.1.1 255.255.255.0 #interface Pos2/0/0 undo shutdown link-protocol ppp ip address 10.1.1.2 255.255.255.0#clock priority 1 source 4 clock priority 2 source 3#return



226

huawei basic configuration guide for routers

Documents

huawei trademarks

huawei proprietary

huawei industrial basebantian

basic configurations

basic concepts

additional information

product versions

low level of risk